Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

iPhone Hacks May Be Linked to Broader China Spying

Volexity Says Websites Related to Muslim Group Hit By Android Exploits
iPhone Hacks May Be Linked to Broader China Spying
Idkah Mosque in Kashgar, a city in the Xinjian Uyghur Autonomous Region, home to the Uyghurs, a Chinese Muslim minority group (Photo: Whitecat)

An extraordinary iPhone hacking campaign revealed by Google last week may be linked to other Android spying campaigns focused on websites related to the Uyghurs, a Chinese Muslim minority group, and the East Turkistan region of China, according to new research from Volexity.

See Also: 2024 Trending Tips for Surviving Ransomware

Washington-based Volexity, a security firm that focuses on forensics and incident response, says it recently observed 11 websites that were rigged to push malware to Android devices or collect device data. The campaigns appear designed to spy on members of the Uyghur diaspora.

“While Volexity can only confirm malware targeted Android users through Uyghurs' websites, it is reasonable to suspect that these same attack campaigns could have easily been leveraged to target Apple and Microsoft users,” write Volexity’s Andrew Case, Matthew Meltzer and Steven Adair in a blog post.

Adair tells Information Security Media Group that Google’s iOS research predates when his company began looking at the hacked sites around July.

Volexity’s report focuses on attacks on Android devices, but the company says it observed code on one website, the Uyghur Academy, in October 2018 that “may indicate a possible interest in targeting iPhone users. It cautioned, however, that the observed code was not a “smoking gun.”

Volexity says this code may be a sign that attackers also sought Apple devices with its reference to the App Store. (Source: Volexity)

Under the guise of stopping terrorism, China has been conducting a sweeping security operation against the Muslim minority Uyghur population in the Xinjian Uyghur Autonomous Region, also called East Turkistan by those seeking independence. China has imposed a campaign of imprisonment and surveillance aimed at snuffing out dissent, because for decades, Uyghur activists have sought independence from China.

Volexity says it has worked with Uyghur groups since 2013 and observed an increasing number of attacks aimed at ethnic Uyghurs living outside Xinjian. Those attacks are likely being conducted by two Chinese hacking groups, it says, through malware and invasive tracking.

“These operations can be used to track the movements of Uyghurs outside of China and spy on those they are communicating with,” Volexity writes.

Google said it observed “indiscriminate” attacks designed to compromise iOS devices after people visited certain websites. It did not identify the websites or the groups that were targeted.

But reports this week in TechCrunch and Forbes, citing anonymous sources, say the websites with the iPhone hacking code were targeted at the Uyghur community. Google officials did not offer an immediate comment.

Watering-Hole Attacks

Volexity says the 11 websites, which include the Uyghur Academy, Turkistantimes and the Uighur Times, are inaccessible within China due to the country’s content filtering.

All of the websites contained malicious code, and some have been “continuously leveraged to attack visitors going back at least four years,” Volexity says. Such attacks are sometimes referred to as “watering hole” attacks. Google is now displaying warnings advising that visiting some of the domains could be risky.

Volexity observed the deployment of Scanbox, a reconnaissance tool that collects a wide variety of device data, and also exploit code for Android devices. It has dubbed the group behind it Evil Eye.

In mid-August, Volexity says it observed Android exploit code on the websites of the Uyghur Academy, Turkistan Press, Turkistan TV and Istiqlal Haber. The attackers set up spoofed domains mimicking those sites and then implanted iframes on the legitimate sites that would pull malicious code.

Volexity says the attackers set up spoofed domains mimicking real ones to aid in attacks. (Source: Volexity)

The code would exfiltrate data such as the Android device’s IMEI, locale, network name, IP addresses, patch levels, serial number, device fingerprint and more, Volexity says. The code, however, isn’t persistent and it doesn’t appear capable of accepting more commands.

“Volexity suspects that this may indicate that attackers may look to conduct future exploitation of devices of interest or are otherwise looking to use this data to verify information obtained from the output of physical cellular device tracking,” the researchers write.

Track Covering?

Volexity says it noticed some activity after Google published its blog post on Aug. 29 that suggests the attackers were trying to scrub data.

Three bogus domains set up by the Evil Eye group -, and – stopped resolving. Also, the “majority of the malicious scrips reference on the compromised websites were removed in this same timeframe,” the company reports.

But it may be too late for people who previously visited the sites. Activist groups and dissidents have proved to be attractive targets for governments, whose digital surveillance and hacking resources can far outpace those groups’ defenses.

Adair says that vulnerable people should keep their devices up to date, but it’s difficult to tell people not to visit websites for fear of an attack. There are more technical methods to mask browsing and making it safer, such as using virtual machines, but sometimes those techniques aren’t practical, he says.

“What do you do? You can’t browse the web to legitimate sites anymore?” Adair asks. “It’s tough.”

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.