Between November 2018 and May 2019, senior members of Tibetan groups received malicious links on WhatsApp from attackers posing as NGO workers and journalists. The targets included the Private Office of the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, and various human rights groups.

A team of Canadian cybersecurity researchers uncovered this mobile hacking campaign, attributing it to a group they named "Poison Carp". The campaign used one-click exploits for iOS and Android, sent via malicious links. When opened, these links exploited browser vulnerabilities to stealthily install spyware.

The researchers found "technical overlaps" between Poison Carp and other campaigns against the Uyghur community, leading them to believe the group is sponsored by the Chinese government.

Capabilities of the Spyware

Researchers observed 17 intrusion attempts against Tibetan targets. Once installed, the malicious implant allowed attackers to:

• Gain full control of the victim's device.
• Exfiltrate data including text messages, contacts, call logs, and location data.
• Access the device's camera and microphone.
• Exfiltrate private data from Viber, Telegram, Gmail, Twitter, and WhatsApp.
• Download and install additional malicious plugins.

Additionally, the attackers used a malicious OAuth application to gain access to victims' Gmail accounts. While not the first campaign targeting the Tibetan government, researchers noted this was the "first documented case of one-click mobile exploits used to target Tibetan groups."