Elliot Alderson
@fs0c131y
Tue Jan 30 21:39:45 +0000 2018

<Thread> China spies on fellow citizens with the help of private enterprise. Here is an example. 1/18

In July, 2017, @mashable and @fossbytes14 published an article explaining that the Chinese authorities are forcing its Muslim minority population in Xinjiang to install spyware on their smartphones. 2/18
https://t.co/2kZgbYH5q5

Fossbytes based his article on Twitter user comments including @o66071443. @o66071443 who was very active on Twitter, with +8K tweets and +32K followers, does not publish anything since October 3, 2017. 3/18
https://t.co/mNjFEcQ6qC

Mashable also used a tweet from @wenyunchao, a Chinese Internet Activist. 4/18
https://t.co/cuE4fdvbw6

In both article, they used this notice, written in Uyghur and Chinese, was sent by WeChat to residents in Urumqi, Xinjiang's capital. 5/18 https://t.co/z0iZS2cy3W

Here is a translation of the notice made by Google Translate. 6/18 https://t.co/ceCe7bvcGK

As noticed by users on @HackerNews, this notice contains a QR code that allows you to download spyware. To this day the link is still active. 7/18
http://47.93.5.238:8081/APP/GA_AJ_JK/GA_AJ_JK_GXH.apk

By playing with the parameters of the URL, we can find 2 other applications. The links on the page can be translated: "Download Public Security Check", "Download Public Security Project". 8/18
http://47.93.5.238:8081/APP/

Thanks to VirusTotal I managed to get 6 different additional samples. I will analyse these applications in a next thread, this one is already super long. 9/18

The IP address 47.93.5.238 corresponds to https://t.co/v35rGtRpOX. Whois information shows that this domain has been registered with a landasoft address. 10/18 https://t.co/1hh5t2Nezo

According to @Bloomberg, Shanghai Landasoft Data Technology Inc. designs and develops prepackaged software solutions for data management and analysis; human management; and criminal suspects trajectory and intelligence analysis. 11/18
https://t.co/GBqY4wI02X

Moreover, did you notice the itap in the URL? iTAP is a "product" of Landasoft. Here is the video presentation available on their website. Take the time to watch the full video and then think about the implications. 12/18 https://t.co/b9U91rAgm1

If you want to know more about iTAP and how it's use, you can check the case center. 13/18
https://t.co/M9uDdvgQKr

By analyzing the APKs found previously, we can find the iTAP backend which is accessible only on mobile. 14/18 https://t.co/7eCJVevT7n

Take the time to zoom in on the banners, to observe the number of logos. It's frightening... 15/18 https://t.co/BLp2xBD7WA

From this site you can download 2 files called ITAP_x32 and ITAP_x64. These archives contains an exe file detected as Trojan.Win32.KillProc.eljgui by NANO-Antivirus. 16/18
https://t.co/pxMyv7yXHF

This exe file will install a modified version of Chrome. If you are a reverse engineer specialized in this field, can you analyze this file? Your help will be super appreciate. 17/18 https://t.co/HkTT0XyboC

That's all! 18/18

Tue Jan 30 21:39:55 +0000 2018