New Delhi, September 26th, 2022 – Check Point Research (CPR) spots an ongoing, mobile malware campaign consistently targeting Uyghurs for seven years. Attributed to the actor Scarlet Mimic, the malware campaign most likely leverages sphere-phishing techniques disguised in Islamic and artifacts, such as books, pictures and audio files. The malware is capable of stealing data, tracking location, recording audio and sending SMS messages. 

  • Malware deletes logs of calls and texts afterwards
  • Malware opens a decoy document to distract the victim from malicious actions
  • CPR diagrams evolution of malware throughout the years 

Check Point Research (CPR) sees an ongoing, mobile malware campaign that has consistently targeted Uyghurs for at least the past seven years. Attributed to the actor Scarlet Mimic, the malware campaign was disguised in multiple baits such as books, pictures, and even an audio version of the Quran. 

Malware Capabilities

a.                   Steal data from the mobile device - files, browser history, device information

b.                   Track real-time geolocation

c.                   Record audio of calls and surroundings

d.                   Perform calls and send SMS messages on victim's behalf, deleting logs afterwards


Malware Distribution

CPR believes the malware is distributed via a form of spear phishing that includes trojanized files. The malware is disguised in lures such as books, pictures, and audio files connected to Uyghurs or to Islam. When the victim opens the lure, it actually launches the malicious application, opening a decoy document to distract the victim from malicious actions.

Malware Evolution

Throughout the years, some changes were introduced by the developers. A few of these changes were clearly developed to reduce the chances of the malware being detected by security solutions: the malware authors experimented with the ways to hide the malicious strings. The actors also added a few adjustments and features to gather more information from their victims’ devices.

Quote: Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software

“We discovered a mobile malware campaign consistently targeting Uyghurs for at least 7 years. The campaign has been very consistent during the years, with the last sample dated to middle of August 2022. The scale and the persistence of the campaign is remarkable. 

Furthermore, the malware has a lot of active capabilities like calls and surround recording, real time geolocation and even the capability to conduct calls and send SMS messages by using the victim's phone. All this allows the threat actor behind the campaign to build a great intelligence picture around its targets. 

We suspect the actor Scarlet Mimic is behind this espionage campaign. We will continue to monitor the situation.”

*Disclamier: "The pages slugged ‘Press Release’ are equivalent to advertisements and are not written and produced by Industry Outreach Magazine journalists/Editorial." We do not hold any copyrights towards the content or image. Image source: Newswire