Uyghur-language Apps Riddled with China-linked Spyware, Cybersecurity Firm Says

News

Two new spyware strains are targeting Uyghurs in China and elsewhere by masquerading as Android apps, designed to track the user’s location and harvest their information, researchers at cybersecurity firm Lookout discovered in a recent threat analysis.

November 17, 2022

Researchers attributed the spyware to Chinese state-backed groups, as some of the technologies overlapped with previous Uyghur cyber espionage campaigns linked to China, and said they can be used to track “pre-criminal” activities, which are considered by China to be signaling religious extremism or separatism.

These so-called pre-crime actions can range anywhere between activating a VPN to using religious apps, and can result in a user being detained and sent to a re-education camp.

Chinese authorities have in the past used other mobile apps to spy on Uyghurs, Human Rights Watch documented in 2019. They also targeted the Turkic Muslim minority with cyber espionage campaigns for about a decade.

The two spyware strains Lookout recently uncovered are updated versions of long-running surveillance campaigns, named BadBazaar and MOONSHINE. According to research provided to Bloomberg, nearly a third of all Uyghur-language Android apps shared on social media or downloaded since July this year are infected with these strains of spyware.

BadBazaar, for instance, is said to date back to 2018 and comprise over a hundred Android apps, masquerading as video players, messaging and radio apps, dictionaries, and religious apps. Over two thirds of these apps were found in Uyghur-language communication channels within the second half of this year.

These apps are capable of harvesting extensive amounts of data from a user’s device, including their location, contacts, and texts. They can also record phone calls and take pictures.

Attacks using the latest MOONSHINE strain, a malware first detected in 2019 by Citizen Labs as targeting Tibetan activists, have employed over fifty apps since July this year.

“The majority of these samples are trojanized versions of popular social media platforms, like WhatsApp or Telegram, or trojanized versions of Muslim cultural apps, Uyghur-language tools, or prayer apps,” the researchers found.

Similar to the BadBazaar malware, these apps can amass an extensive amount of personal data from infested phones, and can additionally audio record and download arbitrary data.

Although those targeted with these strains are predominantly within the confines of China, the analysis found that some of the facade apps can also end up in the devices of Uyghurs in other countries like Turkey, which is home to the biggest Uyghur diaspora, and Afghanistan.

“Despite growing international pressure, Chinese threat actors operating on behalf of the Chinese state are likely to continue to distribute surveillanceware targeting Uyghur and Muslim mobile device users through Uyghur-language communications platforms,” Lookout concluded in its analysis.

“The wide distribution of both BadBazaar and MOONSHINE, and the rate at which new functionality has been introduced indicate that development of these families is ongoing and that there is a continued demand for these tools,” they added.

“We oppose wild guesses and malicious slurs against China,” Liu Pengyu, spokesperson at the Chinese embassy in Washington told Bloomberg, adding the country opposes “all forms of cyber-attacks”.

In a critical report published in August this year, the United Nations human rights chief said that China is responsible for “serious human rights violations” in its Xinjiang region, and that its “arbitrary and discriminatory detention" of Uyghurs and other Muslims in the province may constitute crimes against humanity.

Beijing has repeatedly denied accusations of maltreatment and detainment of Uyghurs in the past.