{ "id": "ddfcf6b1-c136-4ab1-9daa-73ee59743999", "created_at": "2026-04-06T01:32:32.667346Z", "updated_at": "2026-04-10T13:12:36.497189Z", "deleted_at": null, "sha1_hash": "90918ed56fca20ec1bcff490b373016f61119251", "title": "CPR analyzes A 7-year mobile surveillance campaign targeting largest minority in China", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 83021, "plain_text": "CPR analyzes A 7-year mobile surveillance campaign targeting\r\nlargest minority in China\r\nBy etal\r\nPublished: 2022-09-22 · Archived: 2026-04-06 00:17:58 UTC\r\nHighlights:\r\nCheck Point Research (CPR) examines a long running mobile surveillance campaign, targeting the largest\r\nminority in China- the Uyghurs.\r\nThe campaign is attributed to the Scarlet Mimic hacking group, which has used more than 20 different\r\nvariations of its Android malware, disguised in multiple Uyghur related baits such as books, pictures, and\r\neven an audio version of the Quran.\r\nThe malware capabilities allow the attackers to easily steal sensitive data from the infected device, as well\r\nas perform calls or send an SMS on the victim’s behalf and track their location in real-time\r\nBackground\r\nCPR researchers have recently observed a new wave of a long-standing campaign targeting the Uyghur\r\ncommunity, a Turkic ethnic group originating from Central Asia, one of the largest minority ethnic groups in\r\nChina. This malicious activity, that we have attributed to the actor called Scarlet Mimic, was first brought to light\r\nin 2016 with a campaign that targeted the Uyghur and Tibetan minority rights activists. Past reports have\r\nsuggested it could be linked to China, which has previously been accused of hacking and surveillance toward the\r\nUyghurs.\r\nSince then, CPR has observed the group using more than 20 different variations of their Android malware,\r\ndisguised in multiple Uyghur related baits such as books, pictures, and even an audio version of the Quran. The\r\nmalware is relatively unsophisticated from a technical standpoint. However, its capabilities allow the attackers to\r\neasily steal sensitive data from the infected devices, even perform calls or send an SMS and track their location in\r\nreal-time. This makes it a powerful and dangerous surveillance tool. This tool also allows audio recording of\r\nincoming and outgoing calls, as well as surround recording.\r\nIn this report, we present a technical analysis and describe the evolution of the campaign in the last seven years.\r\nAlthough a small part of this campaign was briefly discussed in Cyble’s publication as an isolated and unattributed\r\nincident, in this article we put the whole campaign in perspective and outline almost a decade’s worth of persistent\r\nefforts in phone surveillance of the Uyghur community.\r\nOverview of the campaign\r\nSince first discovered back in 2015, we have identified more than 20 samples of Android spyware called\r\nMobileOrder, with the latest variant dated mid-August 2022. As there are no indications that any of them were\r\nhttps://blog.checkpoint.com/2022/09/22/cpr-analyzes-a-7-year-mobile-surveillance-campaign-targeting-largest-minority-in-china/\r\nPage 1 of 5\n\ndistributed from the Google Store, we can assume the malware is distributed by other means, most likely by\r\ntargeted social engineering campaigns. In most cases, the malicious applications masquerade as PDF documents,\r\nphotos, or audio. When the victim opens the decoy content, the malware begins to perform extensive surveillance\r\nactions in the background. These include stealing sensitive data such as the device information, SMS messages,\r\nthe device location, and files stored on the device. The malware is also capable of actively executing commands to\r\nrun a remote shell, take photos, perform calls, manipulate the SMS, call logs and local files, and record the\r\nsurround sound.\r\nThe MobileOrder malware, despite being actively used and updated, still does not support some modern Android\r\nOS features, such as runtime permissions or new intent for APK installation, and does not use techniques common\r\nto most modern malware such as accessibility usage, avoiding battery optimization, etc.\r\nCPR researchers are not able to identify whether the attacks have been successful, yet the fact that the group has\r\ncontinued to develop and deploy the malware for so many years suggests that they have been successful, at least,\r\nin some of their operations.\r\nVictimology and lures\r\nMost of the malicious applications we observed have names in the Uyghur language, in its Arabic or Latin scripts.\r\nThey contain different decoys (documents, pictures, or audio samples) with content related to the ethnic\r\ngeopolitical conflict centered on Uyghurs in China’s far-northwest region of Xinjiang, or with the religious\r\ncontent referencing the Uyghurs’ Muslim identification. We can therefore conclude that this campaign is likely\r\nintended to target the Uyghur minority or organizations and individuals supporting them, which is consistent with\r\nthe Scarlet Mimic group’s previously reported activity.\r\nA few interesting examples of decoys used by the actor over the years include:\r\nThe sample with the original name “photo” (md5:a4f09ccb185d73df1dec4a0b16bf6e2c) contains the\r\npicture of Elqut Alim, the “New Chief Media Officer” of the Norwegian Youth Union who call themselves\r\n“a group of Uyghur youth who live in Norway with a common understanding and a common goal, which is\r\nto stand up against China’s invasion of East Turkestan.” The malware was uploaded to VT with the name\r\nin Uyghur Latin and a fake “.jpg” extension.\r\nhttps://blog.checkpoint.com/2022/09/22/cpr-analyzes-a-7-year-mobile-surveillance-campaign-targeting-largest-minority-in-china/\r\nPage 2 of 5\n\nDecoy image from the sample a4f09ccb185d73df1dec4a0b16bf6e2c.\r\nThe application named ئۇرۇشى پارتىزانلىق “which translates from Uyghur to “Guerrilla Warfare” (md5:\r\nb5fb0fb9488e1b8aa032d7788282005f) contains the PDF version of the short version of the military course\r\nby Yusuf al-Ayeri, the now deceased first leader of Al-Qaeda in Saudi Arabia, which outlines the tactical\r\nmethods of guerrilla warfare.\r\n  The lure PDF containing the materials by the military wing of Al-Qaeda.\r\nThe sample called “The China Freedom Trap” (md5: a38e8d70855412b7ece6de603b35ad63) masquerades\r\nas a partial PDF of the book with the same name written by Dolkun Isa, politician and activist from the\r\nregion of Xinjiang and the current president of the World Uyghur Congress:\r\nhttps://blog.checkpoint.com/2022/09/22/cpr-analyzes-a-7-year-mobile-surveillance-campaign-targeting-largest-minority-in-china/\r\nPage 3 of 5\n\nThe cover of the lure PDF.\r\nThe sample called “quran kerim” which translates as “Noble Quran” (md5:\r\nf10c5efe7eea3c5b7ebb7f3bf7624073) uses as a decoy an mp3 file of a recorded speech in what seems to be\r\na Turkic language.\r\n How To Protect Against Android Malware\r\nCyber criminals and governments target mobile devices because users do not always secure their devices or\r\npractice safe habits. Mobile Device Security is a combination of strategies and tools that secure mobile devices\r\nagainst security threats.\r\nCommon best practices of preventing against mobile threats will include securing email communications on\r\nmobile devices, for instance, use software that warns people not to click on suspicious links, enforcing their\r\norganization’s security policies and requiring mobile users to use a virtual private network (VPN).\r\nAlthough mobile security components vary based on each organization’s needs, mobile security always involves\r\nauthenticating users and restricting network access. This is accomplished best with mobile security software.\r\nHarmony Mobile leverages Check Point’s ThreatCloud and award-winning file protection capabilities to block the\r\ndownload of malicious files to mobile devices and prevent file-based cyber-attacks on organizations.\r\nIf you need a mobile security solution, Request a free demo of Check Point Harmony Mobile to see how we can\r\nprotect your mobile devices from cyber-attacks.\r\nConclusion\r\nScarlet Mimic seems to be a politically motivated group. In the past, there have been reports from other\r\nresearchers that it could be linked to China. If true, it would make these surveillance operations part of a much\r\nwider issue, as this minority group has reportedly been on the receiving end of attacks for many years.\r\nWhat we do know is that Scarlet Mimic has been carrying out its espionage operations for the last eight years\r\nhttps://blog.checkpoint.com/2022/09/22/cpr-analyzes-a-7-year-mobile-surveillance-campaign-targeting-largest-minority-in-china/\r\nPage 4 of 5\n\nagainst the Uyghur community using Android malware. The persistence of the campaign, the evolution of the\r\nmalware and the focus on targeting specific populations indicate that the group’s operations over the years are\r\nsuccessful to some extent. This threat group’s shift in attack vector into the mobile sector provides evidence of a\r\ngrowing tendency of extensive surveillance operations executed on mobile devices as the most sensitive and\r\nprivate assets.\r\nSource: https://blog.checkpoint.com/2022/09/22/cpr-analyzes-a-7-year-mobile-surveillance-campaign-targeting-largest-minority-in-china/\r\nhttps://blog.checkpoint.com/2022/09/22/cpr-analyzes-a-7-year-mobile-surveillance-campaign-targeting-largest-minority-in-china/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.checkpoint.com/2022/09/22/cpr-analyzes-a-7-year-mobile-surveillance-campaign-targeting-largest-minority-in-china/" ], "report_names": [ "cpr-analyzes-a-7-year-mobile-surveillance-campaign-targeting-largest-minority-in-china" ], "threat_actors": [ { "id": "8c5c318c-0e71-4184-92bb-d1c28f68a411", "created_at": "2022-10-25T15:50:23.692481Z", "updated_at": "2026-04-10T02:00:05.409574Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Scarlet Mimic" ], "source_name": "MITRE:Scarlet Mimic", "tools": [ "Psylo", "MobileOrder", "CallMe", "FakeM" ], "source_id": "MITRE", "reports": null }, { "id": "cac03bbf-0c42-470d-951e-0e92656be6cb", "created_at": "2023-01-06T13:46:38.463275Z", "updated_at": "2026-04-10T02:00:02.985402Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "Golfing Taurus", "G0029" ], "source_name": "MISPGALAXY:Scarlet Mimic", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fc2aed1-c838-41e9-b469-922e7bab6f94", "created_at": "2022-10-25T16:07:24.162936Z", "updated_at": "2026-04-10T02:00:04.886029Z", "deleted_at": null, "main_name": "Scarlet Mimic", "aliases": [ "G0029", "Golfing Taurus" ], "source_name": "ETDA:Scarlet Mimic", "tools": [ "BrutishCommand", "CallMe", "CrypticConvo", "Elirks", "FakeFish", "FakeHighFive", "FakeM", "FakeM RAT", "FullThrottle", "HTran", "HUC Packet Transmit Tool", "MobileOrder", "Psylo", "RaidBase", "SkiBoot", "SubtractThis", "Terminator RAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439152, "ts_updated_at": 1775826756, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/90918ed56fca20ec1bcff490b373016f61119251.pdf", "text": "https://archive.orkl.eu/90918ed56fca20ec1bcff490b373016f61119251.txt", "img": "https://archive.orkl.eu/90918ed56fca20ec1bcff490b373016f61119251.jpg" } }