A Chinese hacking group has been found leveraging a new exploit chain in iOS devices to install a spyware implant targeting the Uyghur Muslim minority in China's autonomous region of Xinjiang.

The findings, published by digital forensics firm Volexity, reveal that the exploit — named "Insomnia" — works against iOS versions 12.3, 12.3.1, and 12.3.2 using a flaw in WebKit that was patched by Apple with the release of iOS 12.4 in July 2019.

Volexity said the attacks were carried out by a state-sponsored hacking group it calls Evil Eye, the same threat actor that it said was behind a series of attacks against the Uyghurs last September following a bombshell disclosure by Google's Project Zero team.

China has long considered Xinjiang a breeding ground for "separatists, terrorists and religious extremists," with the residents of the region — ethnically Turkic Muslims — thrown into concentration camps, and subjected to persecution and high-tech surveillance.

Watering Holes Attacks Targeting Uyghur Websites


The malware campaign previously exploited as many as 14 vulnerabilities spanning from iOS 10 all the way through iOS 12 over a period of at least two years via a small collection of malicious websites that were used as a watering hole to hack into the devices.

According to Volexity, Insomnia was loaded on the iOS devices of users using the same tactic, granting the attackers root access, thereby allowing them to steal contact and location information, and target various instant messaging and email clients, including Signal, WeChat and ProtonMail.

In its report, the company said that in the aftermath of last year's exposé, the Evil Eye actor removed malicious code from the compromised websites and took down its command-and-control (C2) server infrastructure, until it began observing "new activity across multiple previously compromised Uyghur websites" starting in January 2020.

It's worth pointing out that the open-source browser engine WebKit is the basis for Safari and other third-party web browsers on iOS such as Google Chrome and Firefox due to restrictions imposed by Apple's App Store Review Guidelines (Section 2.5.6).

"Volexity was able to confirm successful exploitation of a phone running 12.3.1 via the Apple Safari, Google Chrome, and Microsoft Edge mobile browsers," the research team said.

The new watering hole attacks compromised six different websites (e.g., the Uyghur Academy website or akademiye[.]org), which, when visited, loaded the Insomnia implant on the device.

The Spyware Now targets ProtonMail and Signal


As for the Spyware, it appears to be an updated version of the implant detailed by Google's Project Zero security group, but with support for HTTPS communication and added capabilities to transmit information about each app that's installed on the device as well as exfiltrate some data from secure email and messaging apps like ProtonMail and Signal.

To be noted, the malware itself doesn't let attackers read the content of encrypted messages received over ProtonMail or Signal; instead, it steals attachments once saved to the device's storage.

A spokesperson from ProtonMail confirmed to The Hacker News that it's iOS app doesn't store decrypted emails in device storage; instead, when a user opens an email, it is decrypted and only stored in the memory for the brief time the user has the message screen open.

'That said, it is important to remember that once a device is compromised, it becomes increasingly difficult to protect data stored locally. That's why we recommend that users activate PIN/TouchID/FaceID protection in the ProtonMail app Settings. This adds an important additional level of protection,' the end-to-end encrypted email service said.

"As noted in September 2019, Volexity suspected that the Evil Eye attackers had also targeted iPhones based on the attackers' C2 servers going offline shortly after Project Zero's findings were made public," the researchers concluded.

"These more recent findings confirm the suspicion that the attackers were indeed likely the same. It can now be confirmed that in the past six months, Uyghur sites have led to malware for all major platforms, representing a considerable development and upkeep effort by the attackers to spy on the Uyghur population."

"Volexity also noted that the malware has no mechanism for persistence. This indicates that the attackers must work quickly to obtain data that they want from a device before it reboots, or that they may potentially rely on the ability to reinfect a phone."