CODE4HK - Spyware masquerading as a fake mobile app for coordinating Occupy Central protests in Hong Kong
CODE4HK - Spyware masquerading as a fake mobile app for coordinating Occupy Central protests in Hong Kong (left) and the WhatsApp message enticing protesters to download the app (right) Matthew Rudy, GitHub

A fake Android mobile app containing malware that can spy on users' actions has been circulating for the past week, claiming to be part of the official Occupy Central pro-democracy movement in Hong Kong.

Activists were told to download the CODE4HK app, which claimed to be for coordinating protests, in WhatsApp messages containing a hyperlink that were sent by an unknown number, according to the South China Morning Post.

The app seems harmless, but once a protester agrees to install it, it secretly unpacks malware.

As the user has already granted permission to the first app, a second secret app is able to read their SMS text messages, receive messages, record phone calls and even triangulate the user's exact location using the phone's GPS.

The app is deliberately entitled CODE4HK, after a community of programmers seeking to drive social change and increase government transparency on the island, but both the Code4HK community and the Occupy Central organisation say they did not develop the app or send the text message out.

A statement from the Code4HK community said: "None of the Code4HK community has done any application on [Occupy Central] at the moment nor sent the message."

hong kong democracy protests
Police officers confront pro-democracy protesters in Hong Kong Xaume Olleros/AFP

The Hong Kong Computer Emergency Response Team Coordination Centre is so concerned that it has issued an emergency security bulletin warning Android smartphone users not to download the app.

"Malicious behaviours were identified in a fake CODE4HK mobile application, which can cause information disclosure," the warning reads, and also advises that users never install applications from an unknown source and disable the "unknown sources" option in their settings so that no such apps can be installed.

Code4HK tracked the app back to its origin, and discovered that the server being used to host the fake app has a login interface written in simplified Chinese that is predominantly seen on server software used in mainland China.

Hong Kong, on the other hand, predominantly uses only complex Chinese for all communications, media, websites and software interfaces.

While this could indicate spying attempts from the mainland, the Code4HK community says that the app looks like generic mobile spyware that already exists on the underground market to aid cybercriminals, and doesn't look as if it has been specially developed to target the people of Hong Kong.