BlackBerry Cylance: More and more APT groups are relying on mobile malware to track dissidents

What has been used to track political dissidents inside certain countries is now being used on targets abroad, according to Cylance.
(Getty Images)

State-backed hackers from China and Iran have long been spying on their country’s political dissidents using mobile malware, but new research from BlackBerry’s Cylance shows these same nation-state hackers — including groups that have previously been unknown — also are using the malware to monitor targets abroad.

“It’s … worth expanding our notion of the typical target of the Chinese government: malware meant for targets of interest … for domestic reasons may very well end up inside a Western business,” Cylance researchers write in a blog post.

Chinese hackers, for instance, have been using mobile malware to spy on the Uighur and Tibetan population in recent months through iOS and Android malware. But while Volexity, the firm behind the research on surveillance of the Uighur population, has previously said there were “possible ties” between the two campaigns, Cylance links both to one actor.

Cylance claims Winnti, a Chinese advanced persistent threat (APT) group better known for its targeting of foreign commercial or defense targets, is responsible for the dissident campaigns.


“The connection between the political espionage campaign and a threat actor best known for military and economic espionage on other platforms was surprising,” the researchers write.

It is also the first time Winnti has been associated with a mobile malware campaign, according to Cylance. The group has previously been blamed for attacks against a German drug company and a Western aerospace firm.

Iran mixes domestic and foreign targets, too

Iranian mobile malware campaigns are targeting a similar blend of domestic and foreign dissidents, Cylance researchers assess. Domestic Kitten, an Iran-linked APT group, for instance, has historically been known to target Iranian citizens with mobile malware. But the group has added foreign espionage, such as stealing military documents and images from other Middle Eastern countries using Android malware.

It’s a scheme, first identified by Trend Micro dubbed “Bouncing Golf,” that Cylance assesses is “very clearly” a “continuation” of Domestic Kitten’s domestic targeting.


Trend Micro had only previously said there is a “possible” connection between the domestic and foreign targeting.

“In fewer than three years, the Iranian effort to add mobile surveillance capabilities underwent drastic improvement in terms of the quality and complexity of its Android malware, the sophistication of its socially engineered delivery mechanisms, the ability to pivot between domestic and foreign target sets,” the Cylance researchers write.

New APT group

While Cylance found actions tied to previously known groups, the company also says it’s discovered a group never before seen. The APT group that Cylance identifies, dubbed BBCY-TA2, has been using new Android and Windows mobile malware, dubbed “PWNDROID3” and “PWNWIN1,” alongside desktop malware to conduct campaigns that appear intent on rooting out political dissension through surveillance, Cylance’s Brian Robison said.

Specifically, the Android malware offers geolocation tracking, call monitoring, and screen monitoring.


The APT group distributed its malware through mobile apps that imitate a popular Bitcoin app that converts Bitcoin to local currency. All the apps have some version of the name ‘Local Bitcoin’ in them, but Cylance does not list them out individually.

This group is not operating in a silo. According to Cylance, BBCY-TA2 has overlapping infrastructure with another group Cylance identifies, dubbed BBCY-TA3, that’s been focused less on domestic politics and more on foreign commercial targets. This new group has been targeting telecommunications and chemical manufacturing in the U.S., Germany, and Canada, and has been more focused on desktop campaigns, the researchers write.

BBCY-TA2 and BBCY-TA3 are not necessarily the same group, but the overlapping infrastructure links their domestic and foreign targets, echoing the crossover of Winnti’s domestic and foreign targets. The BBCY-TA2 and BBCY-TA3 campaigns also use cross-platform targeting.

Mobile malware is increasingly used by hacking group because mobile security solutions are few and far between, so avoiding detection is much easier than efforts that target users on desktop or laptop computers, according to Cylance.

Although it’s unclear if the overlap is coordinated, the intermixing of targets, tools, and infrastructure can make it tricky for intelligence analysts and threat intelligence firms tracking nation-state actors to defend against them.


“Low threat detection rates and a false sense of security have made mobile users an easy target. Given an immature market, security solutions intended to block mobile malware are few in number,” Cylance researchers write.

Latest Podcasts