Hackers linked to Chinese government used mobile malware to spy on ethnic minority

Lookout researchers say a hacking group likely linked to the Chinese government is conducting targeted surveillance against an ethnic minority known as the Uighurs.

Security researchers say a hacking group likely linked to the Chinese government is conducting targeted surveillance against a Chinese ethnic minority, known as the Uighurs, through the deployment of sophisticated mobile malware, according to new evidence published Friday by U.S. cybersecurity firm Lookout.

The attackers are associated with a known Chinese threat actor previously codenamed “Scarlet Mimic” by security researchers with Palo Alto Networks, according to Michael Flossman, a senior security researcher with Lookout.

Based on separate research by Palo Alto Networks and ThreatConnect, Scarlet Mimic’s past operations have followed closely with the interests of the Communist Party of China. The party remains worried about the potential for rebellion in the highly contested Xinjiang region, where the majority of the Uighur population lives.

Lookout found a series of booby trapped Android applications designed for Chinese users — a SIM Card Management, “Phone Guardian” and Google Searcher program — which carried the same hidden spyware, named JadeRAT. Some of the titles for these malicious apps, as they originally appeared on victims’ devices, carried specific references to “Uighur” in Chinese characters.


“The use of Uighur as an app title in several instances suggests this minority is likely one of the groups being targeted by JadeRAT operators,” Flossman told CyberScoop. “We’ve seen other Android surveillanceware families being used in the region that include Uighur specific references in their titles and also trojanize a similar set of messaging apps like Telegram, Voxer, and Viber.”

Flossman said he discovered the connection between JadeRat and Scarlet Mimic by studying similarities that existed in the hacking group’s other, known espionage tools.

“After public reporting around MobileOrder, a surveillanceware tool previously attributed to Scarlet Mimic, we saw its use tail off however observed several other families emerge that had some overlap around the apps they trojanised, the likely groups they targeted, their capabilities, and to some extent their implementation,” Flossman described. “JadeRAT was one of those families.”

The trojan allows for hackers to access, review and siphon data related to a person’s communications, software usage and GPS location. Technical indicators within these apps provided clues for researchers to understand who the hackers were targeting, what they hoped to learn and how widespread the operation was. In addition, JadeRAT can steal passwords, disable WiFi connection and force a device to shutdown.

Most of the capabilities offered by JadeRAT are relatively standard in other contemporary spyware products. One of the exceptions, however, is a function that automatically notifies the attacker via SMS text message whenever an infected device has booted up. 


While it’s likely that most affected devices were infected with JadeRAT because the victims voluntarily downloaded the aforementioned applications, it’s also possible that Scarlet Mimic physical accessed some of the systems owned by its victims.

“While victims could be compromised via social engineering that tricks them into installing a chat application trojanized with JadeRAT, the frequent use by this family of ‘SIM Card Management’ as a title suggests physical access may also be used in some instances,” explained Flossman. “The reasoning behind this is that it seems fairly unlikely for a typical user to want to install an app that supposedly offers this functionality however, such a title would most likely be ignored by your average user if seen in the list of running apps.”

Palo Alto Network’s research about Scarlet Mimic notes that the group was active since at least 2012 and is largely interested in gathering “information about minority rights activists,” according to a company blog post published last year.

Lookout believes 2017 represents the most active year yet for JadeRAT infections. At the moment, the malware is only effective against Android devices.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts