Written by Shannon Vavra

A new spate of iOS and Android mobile malware attacks capable of taking control of devices, and tracking GPS location, phone call history, contacts, and text messages has been unleashed on targets in Hong Kong in the last several months, according to multiple cybersecurity companies.

The attackers, which Kaspersky suspects are Chinese-speaking, lure their victims by posting links to local news sites in general discussion sections of forums that are popular among Hong Kong residents. But when victims click through to see the news, attackers deploy a hidden iFrame that runs an iOS malware variant, a modular backdoor.

Trend Micro researchers have also found this malware, dubbing it “LightSpy.” Some of the lures include content on protests in Hong Kong. They also touch on information about the novel coronavirus and sex.

The Android portion of the campaign is being distributed through Instagram posts and Telegram channels, with lures encouraging victims to download an app dedicated to the Hong Kong Democracy and Freedom Movement, according to Kaspersky research. The Android exploit, which TrendMicro dubs “dmsSpy,” transmits sensitive information on texting, calling, and geolocation back to an attacker-controlled command and control server.

In addition to geolocation, phone call history, and text message monitoring, LightSpy is capable of exfiltrating data from machines connected to the same Wi-Fi network. Spyware deployed against victims is also capable of stealing information from Telegram, WeChat, and QQ chat applications.

“Taken together, this threat allows the threat actor to thoroughly compromise an affected device and acquire much of what a user would consider confidential information,” Trend Micro researchers write. “Several chat apps popular in the Hong Kong market were particularly targeted here, suggesting that these were the threat actor’s goals.”

The mobile malware attacks come after activists in Hong Kong protested a controversial Chinese extradition law that has been accompanied by surveillance and misinformation campaigns.

Attacks linked with Thrip

The sweeping campaign does not appear to be aimed at gathering information on specific users, rather, it appears to be intended at surveilling an extensive victim base, Trend Micro researchers assess.

“The design and functionality of operation suggests that the campaign isn’t meant to target victims, but aims to compromise as many mobile devices as possible for device backdooring and surveillance,” Trend Micro researchers say.

But executing the attacks quickly, in recent months, appeared to be a priority for the attackers, according to Kaspersky.

“[W]e can assess that the actor implemented a fairly agile development process, with time seemingly more important than stealthiness or quality,” Kaspersky researchers said.

The Hong Kong protests recently subsided due to the coronavirus pandemic that has forced activists indoors to avoid spreading or contracting the virus.

Kaspersky links this operation, which it dubs “TwoSail Junk,” with activity from a Chinese-speaking APT group known as Thrip, though the company says that attribution is with “at least low confidence.”

Thrip has been running cyber-operations against targets in South Asia for at least a decade, including targets in Hong Kong, according to previous research from Symantec.