{ "id": "31c77795-c5f0-4519-adf5-5380f8559d07", "created_at": "2026-04-06T00:22:26.701621Z", "updated_at": "2026-04-10T13:12:11.614491Z", "deleted_at": null, "sha1_hash": "2f78e99e96ad753ed80066d71c805d3cf3de0221", "title": "Android Trojan Found in Targeted Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 509096, "plain_text": "Android Trojan Found in Targeted Attack\r\nBy Kurt Baumgartner\r\nPublished: 2013-03-26 · Archived: 2026-04-05 21:55:36 UTC\r\nIn the past, we’ve seen targeted attacks against Tibetan and Uyghur activists on Windows and Mac OS X\r\nplatforms. We’ve documented several interesting attacks (A Gift for Dalai Lamas Birthday and Cyber Attacks\r\nAgainst Uyghur Mac OS X Users Intensify) which used ZIP files as well as DOC, XLS and PDF documents\r\nrigged with exploits.\r\nSeveral days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted\r\nattacks to other activists and human rights advocates. Perhaps the most interesting part is that the attack e-mails\r\nhad an APK attachment – a malicious program for Android.\r\nThe attack\r\nOn March 24th, 2013, the e-mail account of a high-profile Tibetan activist was hacked and used to send spear\r\nphishing e-mails to their contact list. This is what the spear phishing e-mail looked like:\r\nhttps://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nPage 1 of 12\n\nIn regards to the message text above, multiple activist groups have recently organized a human rights conference\r\nevent in Geneva. We’ve noticed an increase in the number of attacks using this event as a lure. Here’s another\r\nexample of such an attack hitting Windows users:\r\nGoing back to the Android Package (APK) file was attached to the e-mail, this is pushing an Android application\r\nnamed “WUC’s Conference.apk”.\r\nThis malicious APK is 334326 bytes file, MD5: 0b8806b38b52bebfe39ff585639e2ea2 and is detected by\r\nKaspersky Lab products as “Backdoor.AndroidOS.Chuli.a”.\r\nAfter the installation, an application named “Conference” appears on the desktop:\r\nhttps://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nPage 2 of 12\n\nIf the victim launches this app, he will see text which “enlightens” the information about the upcoming event:\r\nhttps://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nPage 3 of 12\n\nThe full text reads follows. Notice notice the use of the mistaken “Word” instead of “World”:\r\n“On behalf of all at the Word Uyghur Congress (WUC), the Unrepresented Nations and Peoples Organization\r\n(UNPO) and the Society for Threatened Peoples (STP), Human Rights in China: Implications for East Turkestan,\r\nTibet and Southern Mongolia\r\nIn what was an unprecedented coming-together of leading Uyghur, Mongolian, Tibetan and Chinese activists, as\r\nwell as other leading international experts, we were greatly humbled by the great enthusiasm, contribution and\r\ndesire from all in attendance to make this occasion something meaningful, the outcome of which produced some\r\nconcrete, action-orientated solutions to our shared grievances. We are especially delighted about the platform and\r\nprogramme of work established in the declaration of the conference, upon which we sincerely hope will be built a\r\nstrong and resolute working relationship on our shared goals for the future. With this in mind,we thoroughly look\r\nforward to working with you on these matters.\r\nDolkun lsa\r\nChairman of the Executive Committee\r\nWord Uyghur Congress”\r\nWhile the victim reads this fake message, the malware secretly reports the infection to a command-and-control\r\nserver. After that, it begins to harvest information stored on the device. The stolen data includes:\r\nhttps://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nPage 4 of 12\n\nContacts (stored both on the phone and the SIM card).\r\nCall logs.\r\nSMS messages.\r\nGeo-location.\r\nPhone data (phone number, OS version, phone model, SDK version).\r\nIt is important to note that the data won’t be uploaded to C\u0026C server automatically. The Trojan waits for incoming\r\nSMS messages (the “alarmReceiver.class”) and checks whether these messages contain one of the following\r\ncommands: “sms”, “contact”, “location”, “other”. If one these commands is found, then the malware will encode\r\nthe stolen data with Base64 and upload it to the command and control server. The C2 URL is:\r\nhxxp://64.78.161.133/*victims’s_cell_phone_number*/process.php\r\nIn addition to this, the malware also reports to another script, “hxxp://64.78.161.33/android.php”. First, it will get\r\nthe “nativenumber” variable from the “telmark” value of “AndroidManifest.xml”. This is hardcoded and equals\r\n“phone”. Then, it will add the result of the public method localDate.getTime(), which simply gets the current date.\r\nAn example of the string which is sent to the command-and-control would be “phone 26.03.2013”.\r\nIt is interesting that the attackers used Java Base64 library developed by Sauron Software. This software is free\r\nand distributed under LGPL license.\r\nAlso, command communications with the malware are parsed with a function named “chuli()” prior to POSTing\r\nstolen data to the command-and-control server. It appears that the attackers are somewhat familiar with the\r\nlanguage and mountain-trekking culture of the targets – the meaning of “chuli” is “summit”:\r\nThe command-and-control server and parameters can be easily seen in the decompiled source code:\r\nhttps://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nPage 5 of 12\n\nCommand and control server interaction code\r\nThroughout the code, the attackers log all important actions, which include various messages in Chinese. This was\r\nprobably done for debugging purposes, indicating the malware may be an early prototype version. Some actions\r\ninclude (with rough translations):\r\nhttps://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nPage 6 of 12\n\nThe command-and-control server\r\nThe command-and-control server is located at IP 64.78.161.133. This IP is located in Los Angeles, U.S.A., at a\r\nhosting company named “Emagine Concept Inc”.\r\nInterestingly, there is a domain which used to point there, “DlmDocumentsExchange.com”. The domain was\r\nregistered on March 8th, 2013:\r\nRegistration Service Provided By: SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT\r\nCO., LTD.\r\nDomain Name: DLMDOCUMENTSEXCHANGE.COM\r\nRegistration Date: 08-Mar-2013\r\nExpiration Date: 08-Mar-2014\r\nStatus:LOCKED\r\nThe domain registration data indicates the following owner:\r\nRegistrant Contact Details:\r\npeng jia\r\npeng jia (bdoufwke123010@gmail.com)\r\nbeijingshiahiidienquc.d\r\nbeijingshi\r\nbeijing,100000\r\nCN\r\nTel. +86.01078456689\r\nFax. +86.01078456689\r\nThe command-and-control server is hosting an index page which also serves an APK file:\r\nhttps://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nPage 7 of 12\n\nThe referenced “Document.apk” is 333583 bytes in size, MD5: c4c4077e9449147d754afd972e247efc. It has the\r\nsame functionality as the one described above but contains different text. The new text (in Chinese, about relations\r\nbetween China, Japan and the disputed “Senkaku Islands / Diaoyudao Islands / Diaoyutai Islands”) is shown to the\r\nvictims and reads as following:\r\nWhen opened in a browser, this is what the command-and-control index page looks like:\r\nhttps://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nPage 8 of 12\n\nThe text on the top means “Title Title Title” in Chinese, while the other strings appear to be random characters\r\ntyped from the keyboard.\r\nInterestingly, the command and control server includes a publicly accessible interface to work with the victims:\r\nhttps://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nPage 9 of 12\n\nSome of the commands with rough translations:\r\nThe command-and-control server is running Windows Server 2003 and has been configured for Chinese language:\r\nhttps://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nPage 10 of 12\n\nThis, together with the logs, is a strong indicator that the attackers are Chinese-speaking.\r\nConclusions\r\nEvery day, there are hundreds if not thousands of targeted attacks against Tibetan and Uyghur supporters. The vast\r\nmajority of these target Windows machines through Word documents exploiting known vulnerabilities such as\r\nCVE-2012-0158, CVE-2010-3333 and CVE-2009-3129.\r\nIn this case, the attackers hacked a Tibetan activist’s account and used it to attack Uyghur activists. It indicates\r\nperhaps an interesting trend which is exploiting the trust relationships between the two communities. This\r\ntechnique reminds us of a combination between ages old war strategies “Divide et impera” and “By way of\r\ndeception”.\r\nUntil now, we haven’t seen targeted attacks against mobile phones, although we’ve seen indications that these\r\nwere in development.\r\nThe current attack took advantage of the compromise of a high-profile Tibetan activist. It is perhaps the first in a\r\nnew wave of targeted attacks aimed at Android users. So far, the attackers relied entirely on social engineering to\r\ninfect the targets. History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a\r\ncombination of techniques.\r\nFor now, the best protection is to avoid any APK attachments that arrive on mobile phones via e-mail.\r\nhttps://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nPage 11 of 12\n\nWe detect the malware used in this attack as “Backdoor.AndroidOS.Chuli.a”.\r\nMD5s:\r\nc4c4077e9449147d754afd972e247efc Document.apk\r\n0b8806b38b52bebfe39ff585639e2ea2 WUC’s Conference.apk\r\nSource: https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nhttps://securelist.com/android-trojan-found-in-targeted-attack-58/35552/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/" ], "report_names": [ "35552" ], "threat_actors": [ { "id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde", "created_at": "2023-01-06T13:46:38.472883Z", "updated_at": "2026-04-10T02:00:02.989134Z", "deleted_at": null, "main_name": "ProjectSauron", "aliases": [ "Sauron", "Project Sauron", "G0041" ], "source_name": "MISPGALAXY:ProjectSauron", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434946, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f78e99e96ad753ed80066d71c805d3cf3de0221.pdf", "text": "https://archive.orkl.eu/2f78e99e96ad753ed80066d71c805d3cf3de0221.txt", "img": "https://archive.orkl.eu/2f78e99e96ad753ed80066d71c805d3cf3de0221.jpg" } }