"As someone working on digital security and constantly looking at phishing attacks, it was a surprise to see your own email being used for phishing purposes and I wasn’t sure how to feel about it. Once I learned more about the attack, the fact that I had no idea how many people might have been lured with this email was scary. Also, how something that is meant for allowing people to access information has been repurposed by the Chinese Government to spy on them made me angry. It also made me realize the truth that Tibetans are targeted as a community and our response has to be community led."

In 2011, WeChat, a mobile messaging application, launched and has become the most popular communications platform in China and quickly spread to Tibetan populations. The popularity of WeChat became a concern due to the app being under the control of a Chinese company and therefore subject to information controls dictated by the Chinese government. Reports of censorship and suspected surveillance on WeChat began to circulate in the community

Tibet Action Institute is an activist organization that uses digital technology and strategic nonviolent action to support the Tibet movement. In response to digital security concerns surrounding WeChat, Tibet Action Institute promoted alternative communications apps to Tibetans including KakaoTalk (a South Korean chat app).

Lobsang Gyatso Sither, then serving as the Digital Security Program Manager at Tibet Action Institute promoted this campaign by sending trusted contacts installation files for the apps on Android (Android Application Package File, APKs).

On December 4, 2012, Lobsang sent an email to a member of the Tibetan Parliament that included APKs for KakaoTalk and Internet radio apps with instructions on how to install and use the apps.

On January 16, 2013, a high profile member of the Tibetan community received an identical email that appeared to also come from Lobsang. This email was a fake and attached APK files with additional features that were designed to send a user’s contacts, SMS message history, and cellular network location to attackers.²²

This chain of events suggests that the email of the Tibetan Parliamentarian who first received the real email was already compromised, giving the attackers access to the message and showing them that Tibetans were circulating APKs through their networks of trust. The attackers then repurposed the message and modified the APKs to include malware.

This attack was one of the first examples of mobile malware we observed in the community and showed how digital threats against the community adapt. As Tibetans went mobile, so did the threats.