IT security researchers find 2 new surveillance tools that target Uyghur mobile apps

They suspect that malicious actors are working with the Chinese government, report says.

China has been hacking into Uyghur-language mobile apps and infecting users’ devices to further monitor the persecuted predominantly-Muslim group in its northwestern Xinjiang region and in other countries, according to a new report.

Researchers at the Threat Lab at California-based computer and network security company Lookout have uncovered two new surveillance tools they call BadBazaar and MOONSHINE targeting Uyghurs in China and abroad.

The two tools can be used to track activities considered indicative of religious extremism or separatism by authorities if Uyghurs use virtual private networks, or VPNs, communicate with Muslims abroad, or use messaging apps such as WhatsApp that are popular outside of China, according to the report, which was published on Nov. 1.

BadBazaar is a new Android surveillance tool that shares infrastructure with other previously detected Uyghur-targeted tooling outlined in a 2020 whitepaper issued by Lookout's threat intelligence team.

It masquerades as a variety of Android apps, such as battery managers, video players, radio apps, messaging apps, Uyghur-language dictionaries, and religious apps.

They collect location information, lists of installed packages, call logs and their associated geocoded locations, phone calls and contacts, installed Android apps, SMS information, mobile device information, and Wi-Fi connection data, according to the report.

Command-and-control server gives orders

MOONSHINE uses updated variants of a previously disclosed tool discovered by Citizen Labat the University of Toronto's Munk School of Global Affairs & Public Policy and observed to be targeting Tibetan activists in 2019.

It establishes a connection with a command-and-control server so that the malware can receive commands to perform different functions such as recording phone calls, collecting contact information, retrieving files, removing SMS messages, capturing cameras, and collecting data from social media apps.

“BadBazaar and these new variants of MOONSHINE add to the already extensive collection of unique surveillanceware used in campaigns to surveil and subsequently detain individuals in China,” said the report.

“Their continued development and their prevalence on Uyghur-language social media platforms indicate these campaigns are ongoing and that the threat actors have successfully infiltrated online Uyghur communities to distribute their malware,” it said.

Kristina Balaam, a Canada-based staff security intelligence engineer and senior threat researcher at Lookout, told RFA that the earliest samples of use of the two surveillance tools date to 2018.

“The malware samples that we’re looking at are getting more sophisticated,” she told RFA. “They are introducing new functionality. They’re trying to do a better job of hiding where all of the malicious functionality actually lives within the source code. Hiding some of the malicious functionality has become more sophisticated in some of these later variants.”

Researchers are confident that the malicious actors are Chinese-speaking and appear to be operating in alignment with Chinese government interests, she said.

“So, we at least suspect that they are based in mainland China,” said Balaam.

Uyghur diaspora targeted

Abduweli Ayup, a Uyghur linguist who lives in Norway and runs a website documenting missing and imprisoned Uyghurs in Xinjiang, said Badam Uyghur Keyboard, an app he used for five years, unleashed malware that allowed his mobile device to be hacked three times since 2017.

“China apparently infected the apps that the Uyghur diaspora community uses the most, including Uyghur language learning apps, Uyghur keyboard apps, Arabic learning apps, and [ones] for communications such as Skype [and] Telegram,” he told RFA. “This is a very serious situation. What’s most alarming is the negligence of some Uyghurs [concerning] the issue of China infecting the apps they’ve been using with spyware.”

In response to the report’s findings, Uyghur cybersecurity expert Abdushukur Abdureshit told RFA that the apps include sophisticated data-stealing features that harvest personal information, photos and phone numbers and send them to another server.

“It is clear that the Chinese government is attempting to control the Uyghurs in exile by infecting the apps that we use frequently with much more sophistication and less probability of discovering the spyware in them,” he told RFA. “If our photos are stolen and where we go and sleep are monitored, and our phone logs and information are harvested, then that means they know everything about us.”

He suggested that Uyghurs download apps only from credible sources, such as the Google App Store because Google ensures that all the mobile apps it offers pass a security check and removes ones that are questionable.

Pervasive surveillance system

Uyghurs and other Turkic minorities living in Xinjiang have been subjected for years to a pervasive surveillance system that monitors their movements through the use of drones, facial recognition cameras and mobile phone scans as part of China’s efforts to control the population.

A report on mass arbitrary detentions and the invasive surveillance of Uyghurs in Xinjiang issued in late August by the United Nations human rights chief brought more international attention to human rights violations in Xinjiang. It said China may have committed crimes against humanity in its treatment of Uyghurs there.

On Oct. 31, 50 countries, including the United States, submitted a statement to the U.N. General Assembly expressing concern over the “ongoing human rights violations of Uyghurs and other predominantly Muslim minorities” in China.

Translated by Mamatjan Juma for RFA Uyghur. Written in English by Roseanne Gerin. Edited by Malcolm Foster.