Sony Xperia Z3 Spy App Reveals New Trend in China’s Cyberespionage

Similar breaches now found in smartphones from three companies
October 30, 2014 Updated: October 30, 2014

Mysterious files were found on two models of Sony Xperia smartphones which researchers found are relaying data to Chinese servers.

The file is called “Baidu,” which is China’s version of Google. It was found on Xperia Z3 and Xperia Z3 Compact phones. If a user tries to remove the file, it automatically restores itself after a short time. The independent Xperia Blog says the file is rooted in the firmware of the phones.

Sony announced in its support forms that the infected “folder will be removed in future software updates for the phone.”

The app is the third time such an attack has been found. It is nearly identical to similar spying campaigns found in smartphones from China’s Xiaomi and from an unnamed Chinese smartphone maker.

In all cases, the breach used an infected smartphone app rooted in the firmware of the phone that relays data back to China.

In all three cases, the infected app would also restore itself if deleted, since it was rooted in the phone’s firmware.

German security company G Data revealed on June 16 that China’s Star N9500 smartphones, which are sold online by a company with no name, contain a file called Uupay.D which relays data from the phone back to China.

The phone’s spying file was disguised as a Google Play program and runs quietly in the background. Christian Geschkat, G Data’s product manager for mobile solutions, said in a blog post “The possibilities with this spy program are almost limitless.”

Just one month later, a similar spying app was found on smartphones from China’s Xiaomi.

It was first uncovered by a user on Hong Kong forum IMA Mobile who was reviewing the Xiaomi Redmi Note smartphone. Researchers at security company F-Secure then confirmed the findings.

The Xiaomi Redmi Note smartphones were continually trying to connect to an IP address in Beijing. Researchers found the phones continued relaying data even if they erased the phones and installed new versions of Android—suggesting again the “feature” is in the phone’s firmware.

Smartphones are valuable targets for espionage. People carry them on their bodies at all times, the devices have microphone and video capabilities, and people often store large amounts of personal data on their phones.

China’s state hackers seem keenly aware of the value smartphones have for spying.

A spying campaign was recently uncovered, which is targeting smartphone users who support the pro-democracy movement in Hong Kong. The attacks were uncovered on Sept. 30 by researchers at Lacoon Mobile Security.

The attack on pro-democracy protesters in Hong Kong targets Android phones as well as iPhones and iPads. Protesters recieved a note on mobile messaging tool WhatsApp that told them to download the infected app, which was promoted as a tool to help in the protests.

Researchers at Lacoon Mobile Security believe the Hong Kong attack comes from the Chinese regime, due both to its targets and the high level of sophistication needed for such an attack.

Taken broadly, it appears that hackers with the Chinese regime have found a soft spot in global cybersecurity, and one that rewards them with significant information and access.

In related news, the Chinese regime is looking to control the market for smartphone apps in China. The South China Morning Post reported on Oct. 27 that the Chinese regime is looking to consolidate the smartphone app market.

China’s State Internet Information Office, which is under its State Council and is in charge of regulating the Internet, has been discussing rules for mobile apps. The campaign is being pitched by China’s state-run media as something aimed at cracking down on malware.

However, if the Chinese regime is behind many of the smartphone attacks we’ve seen recently—as many security experts believe—then the regime’s regulation of the smartphone market could solidify its hold over a new form of espionage that is fundamental to devices, widespread, and impossible to remove.

Follow Joshua on Twitter: @JoshJPhilipp