The saga began on March 24th, 2013, when the e-mail account of a high-profile Tibetan activist was hacked and used to send "spear phishing" e-mails to their contact list. The attachment on the email was supposed to be a letter from WUC, the Unrepresented Nations and Peoples Organization, and the Society for Threatened Peoples about the earlier World Uyghur Congress.
Instead -- and it's clear from the image above, that a simple look at the file suffix would have been a warning -- the attachment was an APK file that contained an Android trojan. When opened, the Trojan installs an app called "Conference" on the Android device. If the app is launched, it displays a fake message from the chairman of the WUC, meaning sending back a message to a command-and-control server to report its successful installation.
The C-and-C server is located in Los Angeles, but registered to a company in Beijing. At this point, the app begins grabbing contacts, SMS messages, geo-location data and other information from the victim's phone. Whenever an an SMS containing any of the following words is delivered to the phone, the payload is sent to the server: "SMS," "contact," "location," or "other."
Until now, we haven't seen targeted attacks against mobile phones in the wild, although we've seen indications that these were in development.The simplest way to avoid this type of attack is avoid opening attachments in emails you weren't expecting. It's the same old maxim once given to Windows users.
The current attack took advantage of the compromise of a high-profile Tibetan activist. It is perhaps the first in a new wave of targeted attacks aimed at Android users. So far, the attackers relied entirely on social engineering to infect the targets. History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a combination of techniques.
For now, the best protection is to avoid any APK attachments that arrive on mobile phones via e-mail.
We detect the malware used in this attack (via Kaspersky's Android antivirus app) as "Backdoor.AndroidOS.Chuli.a".