According to Kaspersky Lab researchers, the e-mail account of a prominent Tibetan activist was hacked on March 24, 2013, and was used to send spear phishing e-mails to the activist's contact list. Notably, the e-mails contained an APK attachment -- a malicious Android file -- rather than Windows or Mac malware.
The malicious file installs an app named "Conference" on the victim's Android home screen. When the app is launched, it displays a message regarding the World Uyghur Conference, then begins harvesting data from the device, including all contacts, call logs, SMS messages, geo-location, and device data.
"It is important to note that the data won't be uploaded to [the] C&C server automatically," write Kaspersky's Costin Raiu, Kurt Baumgartner and Denis Maslennikov. "The Trojan waits for incoming SMS messages (the 'alarmReceiver.class') and checks whether these messages contain one of the following commands: 'sms,' 'contact,' 'location,' 'other.' If one these commands is found, then the malware will encode the stolen data with Base64 and upload it to the command and control server."
According to the researchers, the command and control server is hosted at Los Angeles-based Emagine Concept Inc., and the domain is registered at an address in China.
"Until now, we haven't seen targeted attacks against mobile phones in the wild, although we've seen indications that these were in development," Raiu, Baumgartner and Maslennikov write. "The current attack took advantage of the compromise of a high-profile Tibetan activist. It is perhaps the first in a new wave of targeted attacks aimed at Android users."