{ "id": "97461169-8cad-4825-8670-d17021ffb1dd", "created_at": "2026-04-06T00:13:57.105529Z", "updated_at": "2026-04-10T13:12:12.632176Z", "deleted_at": null, "sha1_hash": "9ed23864965f3a112958a243db3cef428a5c9b50", "title": "Permission to Spy: An Analysis of Android Malware Targeting Tibetans", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 808416, "plain_text": "Permission to Spy: An Analysis of Android Malware Targeting\r\nTibetans\r\nArchived: 2026-04-05 20:57:11 UTC\r\nKey Findings\r\nA compromised version of Kakao Talk, an Android-based mobile messaging client, was sent in a highly-targeted email to a prominent individual in the Tibetan community.\r\nThis email message repurposed a legitimate private email message sent by an information security expert\r\nin the Tibetan community to a member of the Tibetan parliament-in-exile.\r\nThis malware is designed to send a user’s contacts, SMS message history, and cellular network location to\r\nattackers.\r\nThe cellular network information gathered by this malware would only be useful to actors with detailed\r\nknowledge of the cellular communication provider’s technical infrastructure.\r\nThe compromised application was not detected as malware by any of the three mobile malware scanning\r\napplications we tested.\r\nBackground\r\nThis blog post is part of a series documenting the use of information operations against Tibetans and others who\r\nadvocate for Tibetan rights and freedoms. This research is part of the Citizen Lab’s ongoing study of targeted\r\ncyber threats against human rights organizations. Prior research by the Citizen Lab has documented targeted\r\nmalware sent to a Tibetan organization by the APT1 group, malware that repurposes privately-held content of\r\nTibetan groups, and malware that leverages the issues of self-immolations amongst Tibetans and a European\r\nParliament resolution on the human rights situation in Tibet.\r\nThe incident described in this post stands out from our past reports given its use of malware designed for the\r\nAndroid platform. The attack repurposed a genuine private email message containing a legitimate Android\r\nApplication Package File (APK) that was sent from an information security expert in the Tibetan community to a\r\nmember of the Tibetan parliament-in-exile. It is likely that the attacker obtained the original message and\r\nattachment through a compromised email account of the parliament member. The attacker then sent the same\r\nmessage to another prominent member of the Tibetan community, but this time with a compromised version of the\r\nsame Android APK containing malicious code.\r\nMalware targeting the Tibetan community has utilized a variety of platforms over time. The majority of targeted\r\nmalware campaigns against the Tibetan community focus on Windows platforms. However, we have also seen\r\nattacks targeting Macs and the emergence of mobile malware. Additionally, during investigations of command and\r\ncontrol (C2) servers associated with the Luckycat campaign [PDF], Trend Micro [PDF] found two malicious\r\nAndroid APKs in early stages of development that could collect device information and download and upload files\r\nhttps://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/\r\nPage 1 of 11\n\nby remote command. Based on the available information, it was not clear to Trend Micro how the attackers\r\nintended to deliver the mobile malware to targets.\r\nOn March 26, 2013, researchers at Kaspersky reported on a compromise of an email account of a high-profile\r\nTibetan activist, which was used by attackers to send targeted malware to the activist’s contact list. The targeted\r\nattacks leveraged email content about the World Uyghur Congress and included a malicious APK file purporting\r\nto be an app with information on the event. That malware allowed attackers to collect data from infected devices\r\nincluding contacts, call logs, SMS messages, geo-location, and phone data (phone number, OS version, phone\r\nmodel, SDK version).\r\nAttack Overview\r\nIn January 2013, a Tibetan source provided the Citizen Lab with a forged email containing a compromised\r\nsoftware installation package, in the form of an Android APK, for a mobile application called Kakao Talk. Kakao\r\nTalk is an application developed by a South Korean company that “allows its users to send and receive messages\r\nincluding photos, videos and contact information, both on a one-to-one basis and in groups, all for free.” Members\r\nof the Tibetan community have used Kakao Talk and other applications as alternatives to WeChat (a chat client\r\nrapidly rising in popularity) after concerns were raised regarding that application’s general security and the\r\npotential for Tencent (the Chinese company that provides the application) to monitor users at the behest of the\r\nChinese government.\r\nOn December 4, 2012, an information security expert who works within the Tibetan community sent a private\r\nemail to a member of the Tibetan parliament-in-exile, based in Dharamsala, India. That email attached a genuine\r\nversion of Kakao Talk and Tunein (an online radio application) as .apk files.\r\nOn January 16, 2013, an email purporting to be from this same information security expert was sent to a high\r\nprofile political figure in the Tibetan community. The email contained the same text as the message from\r\nDecember 4, but attached a compromised version of the same Kakao Talk Android APK, as seen below in Figure\r\n1.\r\nhttps://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/\r\nPage 2 of 11\n\nTechnical Analysis\r\nOur analysis reveals that the legitimate Kakao Talk application was modified to include additional permission\r\nrequests while preserving the core chat functionality and user interface of the application. (Hereafter this added\r\nfunctionality will be referred to as the “malware.”) In order for the malware to be installed, the user must permit\r\napplications to be installed from sources other than the Google Play store. This permission is not enabled by\r\ndefault in Android. However, as many members of the Tibetan community (particularly those inside Tibetan areas)\r\nhave access to the Google Play service restricted, they are required to permit applications to be installed from\r\noutside sources, and circulating APKs outside of Google Play is common. In addition to permitting the “allow\r\nfrom unknown sources” option, the user must also must permit the additional permissions requested by the\r\napplication. Users may be duped into accepting these permissions by assuming they are required for the regular\r\nfunctionality of the application or by not reviewing them carefully and approving. Once these permissions are\r\napproved, they are used to authorize the additional data-gathering capabilities of the malware, which is configured\r\nto autostart on device boot.\r\nThe Kakao Talk application and malware were repackaged into the modified APK and signed with an illegitimate\r\ncertificate. Both the original and illegitimate certificates are reproduced below. Notice that fields in the\r\nhttps://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/\r\nPage 3 of 11\n\nillegitimate certificate have been populated with what appears to be an assortment of nonsensical characters from\r\na QWERTY keyboard:\r\nOriginal legitimate certificate:\r\nOwner: OU=kakaoteam, O=kakao, C=ko\r\nIssuer: OU=kakaoteam, O=kakao, C=ko\r\nSerial number: 4c707197\r\nValid from: Sat Aug 21 20:38:47 EDT 2010 until: Mon Jul 28 20:38:47 EDT 2110\r\nCertificate fingerprints:\r\nMD5: 70:D4:94:75:18:38:25:BE:88:A1:BA:9A:50:30:DA:E3\r\nSHA1: EC:C4:5B:90:2A:C1:E8:3C:8B:E1:75:8A:25:7E:67:49:2D:E3:74:56\r\nSignature algorithm name: SHA1withRSA\r\nVersion: 3\r\nIllegitimate certificate:\r\nOwner: CN=qwe, OU=asd, O=zxc, L=rty, ST=fgh, C=vbn\r\nIssuer: CN=qwe, OU=asd, O=zxc, L=rty, ST=fgh, C=vbn\r\nSerial number: a3e5475\r\nValid from: Tue Jan 08 22:45:49 EST 2013 until: Wed Oct 12 23:45:49 EDT 2067\r\nCertificate fingerprints:\r\nMD5: BC:04:8C:12:93:39:BE:B7:72:B3:62:E0:9C:B3:03:0B\r\nSHA1: A6:41:78:7B:93:FC:00:77:ED:61:AC:B9:10:9B:07:48:46:9A:76:EB\r\nSignature algorithm name: SHA1withDSA\r\nVersion: 3\r\nThe following permissions are added by the malware and do not exist in the legitimate version:\r\nandroid.permission.GET_ACCOUNTS\r\nandroid.permission.ACCESS_NETWORK_STATE\r\nandroid.permission.READ_SMS\r\nandroid.permission.INTERNET\r\nandroid.permission.ACCESS_FINE_LOCATION\r\nandroid.permission.WRITE_SETTINGS\r\nandroid.permission.WRITE_SECURE_SETTINGS\r\nandroid.permission.WRITE_APN_SETTINGS\r\nandroid.permission.MOUNT_UNMOUNT_FILESYSTEMS\r\nandroid.permission.PROCESS_OUTGOING_CALLS\r\nandroid.permission.DEVICE_POWER\r\nadnroid.permission.ACCESS_CHECKIN_PROPERTTES\r\nandroid.permission.INTERNET\r\nadnroid.permission.CHANGE_WIFI_STATE\r\nandroid.permission.MODIFY_PHONE_STAT\r\nhttps://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/\r\nPage 4 of 11\n\nandroid.permission.BLUETOOTH_ADMIN\r\nandroid.permission.BLUETOOTH\r\nandroid.permission.BIND_DEVICE_ADMIN\r\nandroid.permission.USES_POLICY_FORCE_LOCK\r\nandroid.permission.CHANGE_CONFIGURATION\r\nFigure 2 below shows the difference in permissions between the legitimate and modified Kakao Talk software\r\npackage. Users can display the permissions granted to an application by selecting ‘Apps’ from the settings menu.\r\nThe sections highlighted in red show differences between the legitimate and illegitimate version of the\r\napplication:\r\nUsing these permissions, the malware performs the following actions of significant concern:\r\n1. On a periodic basis the user’s contacts, call history, SMS messages and cellular network configuration are\r\nwritten to an encrypted file called info.txt.\r\n2. Periodically contacts a command and control server (C2)  “android.uyghur.dnsd.me” to retrieve updated\r\nconfiguration information such as URLs and login credentials. This configuration information directs the\r\nhttps://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/\r\nPage 5 of 11\n\nmalware where to upload the info.txt file. The site hosting the C2 appears to emulate the appearance of the\r\nBaidu website (a Chinese search engine), but includes encrypted configuration data hidden in the\r\ncomments. By masking the C2 as a seemingly innocuous website, requests would appear to be legitimate\r\non casual inspection. The configuration data contained in the comments direct the malware to upload\r\ncaptured data from the device to an FTP server and contain a pointer to a new C2 that would allow the\r\nattackers to change the C2 should that need arise.\r\n3. Intercepts SMS messages and searches for a special code sent by a malicious actor, which if detected\r\nresponds to the sender with the base station ID, tower ID, mobile network code and mobile area code of the\r\nphone in question. This message is not displayed to the user and they are never made aware of it.\r\nThe fact that the malware silently responds to the SMS with such detailed technical information on the cellular\r\nphone network and topology is both troubling and curious.\r\nAn unsophisticated actor would have little or no use for this information if they were simply interested in\r\nexfiltrating data from the user for purposes such as fraud, spam or identity theft. Nor can this information be easily\r\nused to place a person’s physical location — the malware is not responding with a convenient longitude and\r\nlatitude. Detailed knowledge of the cellular network topology and configuration would be required to determine a\r\nuser’s location, something unlikely to be in such an actor’s possession.\r\nThis information is only useful to actors with access to the cellular communications provider and its technical\r\ninfrastructure, such as large businesses and government. It almost certainly represents the information that a\r\ncellular service provider requires to initiate eavesdropping, often referred to as “trap \u0026 trace.” Actors at this level\r\nwould also have access to the data required to perform radio frequency triangulation based on the signal data from\r\nmultiple towers, placing the user within a small geographical area.\r\nHowever, it is also possible that this data is being gathered opportunistically by an actor without access to such\r\ncellular network information. We can only speculate on what may be done with the data that is collected.\r\nOf the additional permissions requested by the malware, some do not appear to be used, including GPS location,\r\nBluetooth radio access, and phone sleep state. While these features are not currently being utilized, exploiting\r\nthem could have serious consequences.  For instance, Bluetooth functionality could potentially be used to\r\nenumerate devices (and through this other individuals) in close proximity to the compromised phone. The fact that\r\nthese features are not currently utilized may indicate that the malware is still undergoing development.\r\nFurther evidence suggests that the malware may be in the process of development. Two of the additional\r\npermissions requested by the malware are misspelled, rendering these permissions unusable:\r\nadnroid.permission.ACCESS_CHECKIN_PROPERTTES\r\nadnroid.permission.CHANGE_WIFI_STATE\r\nWe ran three popular mobile antivirus scanners (provided by Avast, Lookout, and Kaspersky) on an Android\r\nhandset with the compromised application installed. As seen in Figure 3, none of the three scanners detected the\r\napplications as malicious on two separate days of testing: February 6, 2013 and March 27, 2013. Therefore, at this\r\ntime manual inspection of the applications permissions is required to detect the compromised application.\r\nhttps://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/\r\nPage 6 of 11\n\nThe identifiers for the sample are listed below and further information is available on VirusTotal.\r\nMD5 cbc474e34f26b4afd02932d8cae9e401\r\nSHA-1 495b622d8209820022fe743c340b39e6e9313cd9\r\nSHA-256 9390a145806157cadc54ecd69d4ededc31534a19a1cebbb1824a9eb4febdc56d\r\ntable 1\r\nContextual Analysis\r\nWhile groups advocating for Tibetan rights have been the targets of persistent malware campaigns for many years,\r\nthis attack stands out for a number of reasons. First, it targets a prominent member of the Tibetan community and\r\nleverages legitimate emails that attempt to encourage the use of alternatives to applications with security issues\r\nlike WeChat when communicating with individuals in the Tibetan community. WeChat has been rapidly gaining\r\npopularity amongst Tibetans, including those in exile communities and individuals communicating sensitive\r\ninformation inside Tibetan areas.\r\nIn addition, the discovery of this malware comes at a particularly sensitive time for Tibetans and those working on\r\nissues related to Tibetan human rights. The wave of self-immolations amongst Tibetans has led to an increasingly\r\nsevere response from Chinese authorities. The practice of self-immolation among Tibetans has intensified\r\nsignificantly since Citizen Lab first examined information controls in Tibet in the wake of self-immolations over a\r\nyear ago. As of April 1, 2013, 112 Tibetans have self-immolated. The Chinese government’s response to such\r\npractice has become increasingly hardline, with officials explicitly characterizing measures employed to maintain\r\nstability in Tibetan regions as a “crackdown” in March 2013. This hardening policy is perhaps an indication of the\r\ngovernment’s view of the severity of the threat to its control presented by events in Tibet.\r\nhttps://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/\r\nPage 7 of 11\n\nThe government and official media have characterized the underlying causes of self-immolation differently over\r\ntime, gradually moving to the position that the practice is the result of the influence of “foreign hostile forces,”\r\ncoordinated and encouraged by overseas Tibetan organizations as well as the Dalai Lama. The crackdown in Tibet\r\nagainst self-immolators and those who are alleged to incite them has already resulted in severe criminal sentences\r\nfor some individuals, based in part on “evidence” of their digital contact with overseas groups.\r\nWith official reliance on “evidence” of overseas contact as a basis for conviction and crackdown, it appears that\r\nChinese authorities are specifically targeting mobile devices in China as a perceived means of communicating and\r\norganizing self-immolations. In March 2013, reports emerged from Lhasa that Chinese authorities had introduced\r\nrestrictions against the use of mobile phones and had conducted a security sweep of mobile devices in the city’s\r\nmonasteries in an attempt to limit the dissemination of images and text.  Although we have no specific evidence\r\nlinking these new restrictions to the targeted malware we found, the timing is certainly suggestive and warrants\r\nfurther exploration.\r\nConclusion and Recommendations\r\nThis incident demonstrates the capacity of attackers to rapidly adapt their techniques in response to changes in the\r\ncommunication methods used by targeted communities. In this case, Tibetan community members began\r\ndiscussing alternative applications to WeChat following concerns raised about its security. In a tit-for-tat response,\r\nattackers quickly leveraged this change, duplicating a legitimate message and producing a malicious version of an\r\napplication being circulated as a possible alternative.\r\nThe malicious APKs linked to the Luckycat campaign [PDF], the recent Android malware attacks reported by\r\nKaspersky and the example presented here demonstrate that the Tibetan community is being actively targeted by\r\nmobile malware.\r\nThe attack we analyzed and the malware reported by Kaspersky are not technically related. The malware binaries\r\nand command and control infrastructure are different and there is no clear indication from technical comparison of\r\nthe two samples that the attacks were conducted by the same attacker(s). However, both attacks leveraged\r\ncompromised email accounts of high profile members of the Tibetan community and also included reference to\r\nthe Uyghur community (in the email lure of the sample reported by Kaspersky, and in the actual sender email\r\n“uygur52@gmx.com” and C2 domain “android.uyghur.dnsd.me” used in the attack we analyzed). Notably,\r\nauthorities in China have also targeted use of the “‘Internet, mobile phones and digital storage devices’” by\r\nUyghurs in the government’s campaign against the “three evils” of terrorism, separatism and extremism. These\r\nsimilarities are inconclusive, but suggest that mobile malware campaigns against these communities are likely to\r\ncontinue.\r\nThese examples demonstrate the risks communities face from targeted mobile malware. Attackers will continue to\r\nadopt new methods and widen targeting of platforms. For communities under persistent threat from targeted\r\nmalware campaigns, user vigilance and education are essential for reducing risk.\r\nThe Citizen Lab recommends:\r\nThat users exercise caution in opening unexpected or unsolicited attachments or opening unverified links.\r\nSee Citizen Lab’s Recommendations for defending against targeted cyber threats for additional\r\nhttps://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/\r\nPage 8 of 11\n\ninformation, and Tibet Action Institute’s Detach from Attachments campaign.\r\nThat users be aware of mobile malware and exercise caution when installing mobile applications. Users\r\nshould pay close attention to the permissions requested by the malware, and should avoid installing\r\napplications that request permissions they do not need. The Guardian Project and other initiatives are\r\ndeveloping secure mobile applications to help users protect their communications and personal data from\r\nintrusion and monitoring.\r\nThat users consult the Tibet Action Institute’s Mobile Security resources, which are aimed at Tibetan\r\naudiences.\r\nUpdate (18 April 2013)\r\nThis update is also available in Tibetan language.\r\nFurther to our blog post of April 1, 2013, “Permission to Spy: An Analysis Of Android Malware Targeting\r\nTibetans” (see above), additional malware was found to be circulating in tandem with the Kakao Talk APK. The\r\nadditional malware is a compromised version of the TuneIn media player application, nominally available from\r\nthe website/company http://www.tunein.com but available as an APK from multiple sources.\r\nAs detailed in “Permission to Spy,” on December 4, 2012, an information security expert who works within the\r\nTibetan community sent a private email to a member of the Tibetan parliament-in-exile, based in Dharamsala,\r\nIndia. That email attached a genuine version of both Kakao Talk and TuneIn as .apk files. On January 16, 2013, an\r\nemail purporting to be from this same information security expert was sent to a high profile political figure in the\r\nTibetan community. That email contained the same text and what appeared to be the same attachments as the\r\nmessage from December 4, but, as documented in the prior post, included a compromised version of the Kakao\r\nTalk Android APK instead of the original file.\r\nWe have now determined that, in addition to the compromised Kakao Talk APK, the TuneIn APK file attached to\r\nthe January 16 spoofed email was also compromised. The malware found to be present in the TuneIn APK is\r\nfunctionally identical to the malware found in the Kakao Talk APK. The fake certificates used to sign both the\r\ncompromised TuneIn Radio and Kakao Talk APKs are identical in every respect.\r\nTuneIn is a media player application for listening to Internet Radio. TuneIn is used by Tibetans to listen to streams\r\nsuch as the Voice of America Tibetan service, to engage with their culture, and to stay on top of world news. It\r\nalso streams a wide variety of content, is well reviewed and is popular on the Google Play store. All of these\r\nfeatures make the application an attractive target for compromise.\r\nSimilar to the compromised Kakao Talk APK, the malicious TuneIn Radio APK adds permissions that allow\r\nattackers to collect user’s contacts, SMS message history and cellular network location.\r\nSince publication of our “Permission to Spy” report, 5/42 anti virus scanners tested on VirusTotal detect the\r\nKakako APK as malicious.\r\nThe identifiers for the TuneIn sample are listed below and further information is available on VirusTotal.\r\nhttps://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/\r\nPage 9 of 11\n\nMD5 ba760392f171e2f05d0352cc1e00190c\r\nSHA-1 015ea52dba3b0e13d1acb4c1f2904b90eca2312c\r\nSHA-256 e769fdf8f2e1a5311ef089c422a7c0cb360d77082d7d1ef1ff39a95c9321ec40\r\ntable 2\r\nHow to Check if TuneIn is Compromised\r\nIf you have TuneIn Radio already installed on your phone and want to check if it is the real application and not\r\nmalware do the following steps:\r\nStep 1. Go to ‘Settings’\r\nStep 2. Go to ‘Apps’\r\nStep 3: Swipe to ‘All’\r\nStep 4. Find TuneIn Radio and press the icon to display permissions\r\nStep 5: Compare the permissions displayed on your phone with the image below\r\n(Note that different versions of Android may have different menu configurations, so the above steps may need to\r\nbe adjusted accordingly).\r\nIf you are installing TuneIn Radio from an APK, the permissions requested will be displayed so use the image\r\nbelow to compare to ensure that you are using a legitimate version of the application:\r\nhttps://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/\r\nPage 10 of 11\n\nAcknowledgements: We are grateful to Dylan Neild for analysis and our Technical Advisory Group members,\r\nMorgan Marquis-Boire and Nart Villeneuve, for review and comments.\r\nSource: https://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/\r\nhttps://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://citizenlab.ca/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/" ], "report_names": [ "permission-to-spy-an-analysis-of-android-malware-targeting-tibetans" ], "threat_actors": [ { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434437, "ts_updated_at": 1775826732, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ed23864965f3a112958a243db3cef428a5c9b50.pdf", "text": "https://archive.orkl.eu/9ed23864965f3a112958a243db3cef428a5c9b50.txt", "img": "https://archive.orkl.eu/9ed23864965f3a112958a243db3cef428a5c9b50.jpg" } }