FireEye experts discovered the messagetap malware created by Chinese government hackers. The malware is designed for Linux machines and was created to be hosted on SMSC (Short Message Service Center) servers, which are responsible for the operation of the short message service in the networks of telecom operators. Malvar helps to “listen” to SMS messages by applying a set of specific filters to them.
Researchers discovered Messagetap on an unnamed mobile carrier network earlier this year. How exactly the infection occurred is not specified.
Malware is able to “delay” SMS messages for subsequent theft if the message body contains certain keywords. According to FireEye, among these keywords were various objects of geopolitical interest for Chinese intelligence services, including the names of political leaders, the names of military and intelligence organizations, and political movements.
The malware is also interested in messages sent to or from certain numbers, as well as specific devices, based on their IMSI. At the time of discovery, it tracked thousands of phone numbers and IMSI at the same time.
Specialists associate Messagetap with the relatively “young” Chinese hacker group APT41. Earlier, FireEye experts wrote that this group is different from others, since in addition to political espionage, it also practices operations that have clear financial motives (they are probably carried out by members of the group for personal purposes).
Although FireEye experts did not disclose the name of the affected company, Reuters reporters report that MessageTap’s activity is related to the efforts of the Chinese authorities to track the Muslim minority, Uighurs living mainly in Xinjiang province.