High-profile Tibetans have seen their Apple iPhones and Android devices targeted by hacks delivered in WhatsApp messages. All that was required for their device to have a permanent tracker installed on their mobile was a single click of the link within the WhatsApp text, researchers claimed. It’s being labelled the most sophisticated attack on Tibetans yet, after it tried to steal WhatsApp and Facebook chats as well as locations with some novel techniques.
The hackers, believed to be sponsored by the Chinese government, have been dubbed Poison Carp by Citizen Lab, a group of surveillance-tracking researchers at the University of Toronto. The crew lured targets to open messages by pretending to be journalists or charity workers.
The Canadian researchers found technical links between Poison Carp and the group revealed to be targeting the iPhones and Android devices of Uighurs by Google Project Zero and Volexity in August. In particular, the same iPhone malware was used in both sets of attacks, whilst a website used to launch malicious code at Androids was the same.
Once the Poison Carp malicious link was clicked on, rogue code would try to exploit weaknesses in the Android browser or Apple’s iOS operating system. None of those vulnerabilities were new, though in one case, the attackers tried to exploit a Google Chrome bug whose patch had not yet been deployed to users. Otherwise, anyone who was running an up-to-date Android or iOS at the time should’ve been protected from infection. But for those who didn’t update and were successfully hacked, their WhatsApp and Facebook messages, location, contacts, call and text histories, and Gmail emails could’ve been sent back to the snoops.
Amongst those hit by the hackers between November 2018 and May 2019 were the offices of Tibetan Buddhist leader the Dalai Lama, the Tibetan government-in-exile and Tibetan human rights groups. A total of 17 attempts were made over that period.
Citizen Lab said the attacks were one in a long line of attempts on the Tibetan government-in-exile.. But, they added, this was the first documented case of one-click mobile exploits used to target Tibetan groups.
“It represents a significant escalation in social engineering tactics and technical sophistication compared to what we typically have observed being used against the Tibetan community,” the researchers wrote in their report, handed to Forbes ahead of publication.
“This is the most technical attack I have seen to date as it is a one-click exploit, which I have not seen for mobile devices before,” added Lobsang Gyatso from TibCERT, an organization set up to help protect Tibetans from cyberattack.
Apple said iOS had been patched so that the attacks on the Tibetans shouldn’t have been possible on an updated iPhone. “We always encourage customers to download the latest version of iOS for the best and most current security enhancements,” a spokesperson said.
Google also said the problems had been patched and that it helped Citizen Lab with the report.
Tibetans always a target
One of those parliamentarians who had their Androids targeted by the Poison Carp attack was Namgyal Dolkar Lhagyari. She’s part of the Tibetan exile community in India. In March this year, she received a WhatsApp message from someone claiming to be from Amnesty International in Hong Kong. The sender claimed to be interested in information regarding a self-immolation, a form or protest at persecution, later providing a news link. She can’t recall whether she clicked the link, but Lhagyari swiftly passed it onto TibCERT, which soon confirmed the link pointed to Android malware.
Though she blocked the number, months later she received a similar link, promising information on an issue regarding the Dalai Lama. TibCERT again confirmed it was another attempt to hack her phone via WhatsApp.
“Receiving affected messages through WhatsApp was new for us,” she told Forbes. “We’ve always assumed WhatsApp to be safer compared to other apps.”
She strongly suspects China, which has long persecuted the Tibetan population. “Considering the work we do, which directly revolves around exposing China for its various forms of human rights abuses in Tibet, and also because similar viruses I’ve retrieved from other Tibetan activist groups working on the issue, it is clear it is a work of Chinese Communist government.”
The Chinese embassy in London hadn’t responded to a request for comment at the time of publication.
A novel Android attack on Facebook
The latest attacks on the Tibetan community also contained some novel Android spyware, said Citizen Lab researcher Bill Marczak. That was because that instead of attempting to hack the core of the Google operating system, the spyware tried to sneak inside the apps themselves, in particular Facebook.
Marczak explained that once the user had opened the malicious link from within WhatsApp, it would then also run inside the Facebook app’s built-in browser. That would then expose all that was inside Facebook.
“These apps, like Facebook, already hold a boatload of permissions to access the phone’s camera, microphone, GPS, SMS messages, contacts, and call logs,” Marczak said, adding that they “have a large attack surface since they run a full browser.”