A Double Agent App Targets Hong Kong’s Protesters

Tear gas and government warnings haven’t stopped the protesters demanding democratic elections in Hong Kong. But a bit of spyware injected into the activist movement may have been sent to do the trick.

A mobile app marketed as a tool to help activists organize is actually a spying program, protesters have discovered.

Two weeks ago, spam text messages started pinging the mobile phones of Hong Kong residents associated with the protests. “Check out this Android app designed by Code4HK for the coordination of Occupy Central!” was the message protesters received, according to the the South China Morning Post, which first reported on the app.

Early on there were signs that the app wasn’t what it seemed. For one thing, its supposed designers denied having anything to do with it. Code4HK, a Hong Kong group “where geeks gather” and “drive social changes with technology,” according to their website, released a statement saying: “None of the Code4HK community has done any application on [Occupy Central] at the moment nor sent the message.”

Suspicious of how much information it required from users—including phone logs and GPS data—activists started to take the app apart. What they found was a piece of spyware siphoning data and creating audio files of voice calls. A crowd-sourced effort to analyze the app’s code drawing on outside hacktivists and protesters in Hong Kong has shown it can do everything from track a users geo-location data and text history to recording all outgoing phone calls.

If that’s the case, it wouldn’t be the first time China used spyware to lure its own citizens into a surveillance net. A Citizenlab report from April 2013 detailed how Chinese authorities appeared to be using malware to target Tibetan human rights advocates, a tactic they also used against the minority Uyghur community. And China’s not the only state deploying malware against its citizens.

A German-based company, FinFisher, sells commercial software used for remote monitoring that’s been purchased by police departments and governments including Mongolia’s and Belgium’s. Evidence shows that the government of Bahrain used the spyware to monitor political activists, including a naturalized American citizen.   

As activists have turned to social media to organize anonymously, it’s made them vulnerable to new forms of intelligence gathering. And repressive states haven’t missed the chance to use the Internet as a weapon for shutting down opposition. Russia routinely blocks the websites of dissidents and recently replaced the head of the country’s largest social media site with a government loyalist. Syria’s Assad regime has flipped the Internet kill switch a number of times during the country’s civil war before restoring service to continue surveillance on its enemies.

Along with a barricades and bludgeons approach to dealing with protests and political dissent, the Chinese government has taken an active role in policing the Internet. Beijing’s aggressive regime of Internet censorship has earned the nickname “the Great Firewall” and the distinction of having “the largest recorded number of imprisoned journalists and cyber-dissidents in the world,” according to Amnesty International. But that by itself is hardly proof that the Chinese government created the app, only that it has the ability and political motive. 

There was a time not that long ago when governments more or less monopolized spying on political protests. But these days, the online espionage field is crowded with commercial bots whose profits depend on tricking users out of the personal information they don’t freely divulge. Today, a phony app trying to spy on political dissidents isn’t the smoking gun of state power it used to be.

So activists started doing detective work, to see who was behind the malware. It didn’t take long for them to discover where the app was sending its ill-gotten data. They found that all the information captured by the spyware was sent to a remote server in Korea. Code4HK, the activist group the spyware impersonated, claims the server’s IP address was “used as malware service before in Nov. 2013.” A more telling point: The server’s remote login screen is written in simplified Chinese, a dialect that’s associated not with Hong Kong but mainland China and the national government.

What the analysis can’t reveal with any certainty is who gave the order to spy on the protests. The obvious suspect is the Chinese government. In addition to running some of the world’s most powerful cyber espionage programs, China also has the motivation—a desire to keep tabs on political dissidents and disrupt protest movements before they have time to expand. Right now the evidence tying the app to Beijing is circumstantial but many protesters have no doubt that it’s their government behind the spying.

“I think the central government is very likely to be behind the trojan Android app attempt,” said one protester, a Hong Kong resident and computer software professional, who asked that his name not be used.

Whoever designed the app, it wasn’t particularly well engineered. Malware analayst Claudio Guarnieri called it “far from being one of the most sophisticated ones I've seen.”

Raymond Bakker, a software developer and whitehat hacker, has taken the investigation a step further.

Using the same approach as forensic linguists who try to identify the author of a text by its writing style, Bakker studied the patterns in the spyware’s code and went looking for its programmer. What he found was “a post on a Chinese Android developer forum discussing roughly the same code that is used in the malware.” Bakker says that he is “pretty sure that the author of this post has ties with the malware” because “The way this code is written is unique and does not exist elsewhere on the Internet.”

Studying the app, Bakker found clues, but isn’t sure of its provenance or exactly what it leads to other than an avatar on an Internet forum. What Bakker and others have provided is one more path to look down for a growing group of online sleuths trying to see behind the code.

Beyond that, it has made the activists themselves more vigilant. “We are not aware of any new spyware/malware being spread at this point,” one protester told The Daily Beast. “We also regularly remind participants to use a number of secure and proven communications apps,” he said.

Editor's note: This story has been updated with new information.