Tibetans targeted by spyware for Iphone and Android


November 12, 2018 was a beautiful sunny day in Dharamshala. Cars honked in the bazaar while overnight Delhi buses tried to maneuver through the small twisting roads. In Mcleodganj, the hilltown was bustling as ever with both local and international tourists. Later that night, a senior staff member at a Tibetan human rights group was contacted on WhatsApp from a previously unknown number.

This contact person claimed to be “Jason Wu,” head of the “Refugee Group” at Amnesty International’s Hong Kong branch. He quickly introduced the topic of a recent self-immolation in Tibet and claimed to be attempting to verify social media reports for use in an upcoming Amnesty International report on human rights in China, and for an upcoming statement critical of the Chinese government’s treatment of ethnic minorities.
During the conversation Jason Wu sent links to information he claimed was related to the case. While for an activist in the Tibetan movement this may seem like an everyday request it had sinister motives behind it. Jason Wu is not a real person and does not work at Amnesty International. The links that were sent included exploits (malicious code that takes advantage of software vulnerabilities) for iOS the operating system of iPhone. If the links were clicked on an iPhone running a vulnerable version of iOS (11.0 through 11.4) the phone would have been infected with spyware that could steal information from the device and the apps running on it. Figure 1 shows the conversation between the fake person and the Tibetan activist.
The University of Toronto’s Citizen Lab reports that this campaign is the first documented case of one-click mobile exploits used against Tibetans, reflecting an escalation in the sophistication of digital espionage threats targeting the Tibetan community. This campaign appears to be carried out by a single operator that Citizen Lab called POISON CARP.


Figure 1: An infection attempt on the early hours of November 13th, 2018 shows the level of effort put into social engineering.

The Infection Attempts

The conversation with “Jason Wu” was not an isolated incident but part of an effort to infect phones of prominent people in the Tibetan community including members of 

  • The Private Office of His Holiness the Dalai Lama, 
  • The Central Tibetan Administration,
  • The Tibetan Parliament, and 
  • Tibetan human rights groups

In addition to targeting iPhones the spying campaign also targeted Android devices  and tried to use malicious OAuth applications to gain access to Gmail accounts. Over the course of the campaign  

Citizen Lab collected one iOS exploit and eight distinct Android exploits. In total 15 attempts were made to infect mobile phones. 

There were 15 infection attempts and these attempts took place between November 11-14, 

Of these 15 infection attempts, 12 were sent to Tibetan targets with links to the iOS exploit.  All but one of the attempts were sent between November 11-14, 2018, with the last attempt sent on April 22, 2019.  Table 1 shows the targets and exploits sent to both Android and iOS phones.

iOS Android
Exploit(s) 1 8
Targets 12 3

Table 1: Infection attempts across iOS and Android phones

The targeted individuals received malicious links in individually tailored WhatsApp text exchanges from seven fake personas designed to appear as journalists, staff at international advocacy organisations, volunteers to Tibetan human rights groups, and tourists to India. The fake personas  actively engaged in conversations and persistently attempted to infect targets, demonstrating significant effort in social engineering. The fake personas exclusively used phone numbers on WhatsApp with Hong Kong country codes (+852). Links were sent using URL shorteners such as bit.ly to disguise the actual link.  

“New York Times” reporter reporting

In another intrusion attempt, a staff member from the same Tibetan human rights organization was contacted by “Lucy Leung” a persona masquerading as a New York Times reporter seeking an interview (Figure 2) whilst targeting the individual with  an iOS infection attempt. Despite clicking on the link, the target was not infected as they were using an Android device. Perhaps realizing that the target was using an Android device, the persona sent an Android exploit link, this time disguising it via bit.ly.

Figure 2: After sending an iOS exploit link (left) the fake persona sends Android exploit link (right).

Accessing your Gmail 

Besides iOS and Android exploit chains, Open Authentication (OAuth) is also used in phishing attacks both in targeted operations and generic cyber crime. Recently we have also seen campaigns using malicious OAuth applications targeting the Tibetan community, potentially in an effort to bypass users who are using two factor authentication on their Google accounts. 

On May 31, 2019, a member of the Tibetan Parliament received a WhatsApp message requesting confirmation of a news story. The message included two bit.ly links (Figure 3). The first link sent in the message lined to hxxps://www.energy-mail[.]org/B20V54 , which redirected to a Google OAuth application called Energy Mail that requests access to Gmail data. The second link served an Android exploit. 

Figure 3: Two bit.ly links were shared where the first one redirected to the Google OAuth application (requesting access to target’s Gmail data) while the second link served an Android exploit


In the past decade, digital security threats towards the Tibetan community has shifted from sending malware as email attachments to phishing and exploit campaigns carried out by POISON CARP.  This shows that the operators are changing their tactics in response to the Tibetan community’s awareness campaign. It also demonstrates the ongoing digital security challenges Tibetan groups face. 

A common thread between these different espionage campaigns is a focus on clever social engineering rather than technical sophistication of exploits or malware. These campaigns, also, collectively document the first case of one-click mobile exploits used to target the Tibetan community. It also overlaps with two recently reported campaigns against Uyghur organizations; thus reflecting  a growing technical and social engineering sophistication in threats targeting the Tibetan community as well as other groups in China. 

For the full report by Citizen Lab with the technical data, please read-https://citizenlab.ca/

As a target community, it becomes critical that we report these infection attempts immediately to protect and grow our digital security knowledge as a community. Please contact us at info@tibcert.org if you have any questions or notice anything suspicious with your digital devices. Lastly, as we meditate to clear our minds and help increase our focus – we can do the same for our devices by keeping it updated with the latest security releases thereby keeping it free of any infections.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top