Facebook Disrupted Chinese Spying Team Use iPhone and Android Malware to Hit Journalists, Dissidents and Activists


Facebook’s threat intelligence unit claims to have disrupted a sophisticated Chinese spying operation that targets journalists, protesters, and activists all over the world with iPhone and Android malware.

The hacking community, dubbed Evil Eye by malware researchers, has used Facebook to spread links to websites that are rigged with exploits for the two major mobile platforms.

Mike Dvilyanski, Facebook’s Head of Cyber Espionage Investigations, has released an advisory with indications of vulnerability (IOCs) and other information to assist victims and targets in thwarting the attacks.

According to Dvilyanski, the Evil Eye gang has mostly targeted Uyghurs from Xinjiang and those living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada, and other nations.

He warned that the Evil Eye gang is “a well-resourced and persistent organisation,” adding, “This group used various cyber espionage techniques to identify its targets and infect their computers with malware to allow surveillance.”

Facebook revealed the group’s TTPs (tactics, strategies, and procedures), which included accurate, targeted victim targeting. “This group took measures to hide their activities and secure malicious tools by infecting people with iOS malware only after they passed certain technical tests, such as IP address, operating system, browser, and country and language settings,” he explained.

The group also hacks or impersonates websites with domains that look like famous Uyghur and Turkish news pages. “As part of watering hole attacks, they claimed to have compromised legitimate websites often visited by their targets. Some of the web pages contained malicious javascript code that looked similar to previously documented exploits that installed iOS malware known as INSOMNIA on people’s devices after they were hacked,” Dvilyanski said.

Facebook also revealed that fake accounts were used to construct fictional personas posing as journalists, students, human rights activists, or members of the Uyghur community in order to gain confidence and trick people into clicking on malicious links.

The group has also been seen using phoney third-party app stores and outsourcing Android malware production to two Chinese firms. “These Chinese companies are most likely part of a large network of vendors with varying levels of operational security,” Dvilyanski said.

Facebook has published hashes and domains associated with this threat actor.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.