Security firm Volexity said today that it has discovered a new iOS exploitation that was being used to spy on China’s oppressed Uyghur minority.

The exploit, which he named Volexity Insomnia, works with iOS 12.3, 12.3.1 and 12.3.2. Apple patched the iOS vulnerability behind this exploitation in July 2019, with the release of iOS 12.4.

Volexitat said Insomnia was used in the wild between January and March 2020.

The exploit was uploaded to the iOS devices of users who visit various Uyghur-themed websites. Once the victims accessed the site, the Insomnia exploit was loaded into the device, and it allowed the attacker to gain root access.

The hackers used the device access to steal full-text messages from multiple instant-messaging clients, emails, photos, contact lists and GPS location data.

Insomnia exploitation used by the Evil Eye group

Volexity said the exploitation was unfolded by a threatening actor whose company is still named Evil eye.

The Evil Eye group is believed to be a state-sponsored piracy unit operating in the service of Beijing, which spies on the Muslim Uyghur minority in China.

This is the same group that Google and Volexity discovered in August 2019 using 14 iOS holdings to target Uyghurs since at least September 2016.The 14 holdings were also deployed in a similar tactic: using a ” watering hole “to plant exploitation on a website and wait for users to visit it.

In a new report released today, Volexity says that once Google published its report on the 14 iOS farms, Evil Eye closed its infrastructure and stopped using previous holdings.

But according to Volexity, the group came to life in January 2020 with the new Insomnia exploitation, and continued where it left off, leading the Uyghur minority in a new series of “watering hole” attacks.

It is now also targeting Signal and ProtonMail

Volexity researchers say the new Insomnia farm also brings improvements, compared to the 14 iOS farms the group had used before.

The previous batch of exploits – used in the attacks between 2016 and 2019 – could steal GPS coordinates, photos from the iOS Photos app, the Contacts app’s address book, Gmail emails and Whatsapp messages. , Telegram, WeChat, iMessage and Hangouts. (See Google’s full analysis here)

For Volexitat, the new Insomnia farm was expanded to also address emails from the ProtonMail application and images transferred through the Signal application.

“The inclusion of Signal and ProtonMail may suggest that Uyghurs are aware of the potential control of their communications and are trying to use applications with strong security features to prevent this,” said Volexity today.

Insomni works with any WebKit-based browser

The cybersecurity firm says iOS users who visit Insomnia-infested websites were vulnerable to hacking.

“Please note that exploitation can be enabled through any browser on the phone as they all use WebKit,” said the research team. “Volexity has been able to confirm the successful operation of a phone running 12.3.1 using Apple Safari, Google Chrome and Microsoft Edge mobile browsers.”

Like previously used holdings, Insomnia does not yet include a “bootstrap” mechanism. This means simply restarting your phone removes the Insomnia malicious code from your device.

However, the Volexity team also believes that does not necessarily mean that Evil Eye cannot persevere in booting if it has never wanted to.

“Attackers may have a method of maintaining persistence, but they configure it manually only after verifying the target,” the company said.

Volexity said that while the Insomnia exploitation was deployed on a number of websites, the exploitation was found most of the time on the Uyghur Academy website (akademiye ()) org).

Users who visit Uyghur-themed websites and want to make sure they are not hacked will be able to protect themselves by updating devices with the release of iOS 12.4.