IT security researchers find two new surveillance tools targeting Uyghur mobile apps – Radio Free Asia
China has hacked into Uyghur-language mobile apps and infected users’ devices to further monitor the persecuted, mainly Muslim group in the northwestern Xinjiang region and in other countries, according to a new report.
Researchers at the Threat Lab at California-based computer and network security company Lookout have uncovered two new surveillance tools they call BadBazaar and MOONSHINE targeting Uyghurs in China and abroad.
The two tools can be used to track activities that authorities consider signs of religious extremism or separatism if Uighurs use virtual private networks, or VPNs, communicate with Muslims abroad or use messaging apps such as WhatsApp that are popular outside China, according to reportwhich was published on 1 Nov.
BadBazaar is a new Android surveillance tool that shares infrastructure with other previously discovered Uyghur-targeted tools outlined in a 2020 white paper issued by Lookout’s threat intelligence team.
It pretends to be a variety of Android apps, such as battery managers, video players, radio apps, messaging apps, Uyghur dictionaries, and religious apps.
They collect location information, lists of installed packages, call logs and associated geocoded locations, phone calls and contacts, installed Android apps, SMS information, mobile device information and Wi-Fi connection data, according to the report.
Command and control server gives orders
MOONSHINE uses updated variants of a previously published tool discovered by Citizen Lab at the University of Toronto’s Munk School of Global Affairs & Public Policy and observed to be targeting Tibetan activists in 2019.
It establishes a connection with a command-and-control server so that the malware can receive commands to perform various functions such as recording phone calls, collecting contact information, retrieving files, deleting SMS messages, capturing cameras and collecting data from apps for Social Media .
“BadBazaar and these new variants of MOONSHINE add to the already extensive collection of unique surveillance equipment used in campaigns to monitor and then arrest individuals in China,” the report said.
“Their continued development and their proliferation on Uyghur social media platforms indicate that these campaigns are ongoing and that the threat actors have infiltrated online Uyghur communities to distribute malware,” it said.
Kristina Balaam, a Canada-based security intelligence engineer and senior threat researcher at Lookout, told RFA that the earliest trials of using the two monitoring tools date to 2018.
“The malware examples we look at are becoming more sophisticated, she tells RFA. “They’re introducing new functionality. They’re trying to do a better job of hiding where all the malicious functionality actually lives in the source code. Hiding some of the malicious functionality has become more sophisticated in some of these later variants.”
Researchers are confident that the malicious actors are Chinese-speaking and appear to be operating in the interests of Chinese authorities, she said.
“So we suspect at least they are based in mainland China,” Balaam said.
Uyghur diaspora targeted
Abduweli Ayup, a Uyghur linguist who lives in Norway and runs a website documenting missing and imprisoned Uighurs in Xinjiang, said Badam Uyghur Keyboard, an app he used for five years, triggered malware that caused his mobile device to be hacked three times since 2017 .
“China apparently infected the apps that the Uyghur diaspora community uses the most, including Uyghur language learning apps, Uyghur keyboard apps, Arabic learning apps and [ones] for communication such as Skype [and] Telegram, he told RFA. – This is a very serious situation. What is most alarming is the negligence of some Uighurs [concerning] the problem of China infecting the apps they used with spyware.”
In response to the report’s findings, Uyghur cybersecurity expert Abdushukur Abdureshit told RFA that the apps include sophisticated data-stealing features that collect personal information, photos and phone numbers and send them to another server.
“It is clear that the Chinese government is trying to control the Uyghurs in exile by infecting the apps that we use often with much more sophistication and less likelihood of detecting the spyware in them,” he told RFA. “If our photos are stolen and where we go and sleep are monitored, and our phone logs and information are harvested, it means they know everything about us.”
He suggested that Uyghurs only download apps from credible sources, such as the Google App Store because Google ensures that all mobile apps it offers pass a security check and remove those that are questionable.
End-to-end monitoring system
Uighurs and other Turkic minorities living in Xinjiang have for years been subject to a pervasive surveillance system that monitors their movements through the use of drones, facial recognition cameras and mobile phone scans as part of China’s efforts to control the population.
A report on arbitrary mass detentions and invasive surveillance of Uyghurs in Xinjiang issued in late August by the UN human rights chief drew more international attention to human rights abuses in Xinjiang. It said China may have committed crimes against humanity in its treatment of Uighurs there.
On October 31, 50 countries, including the United States, sent a statement to the UN General Assembly expressing concern over the “ongoing human rights violations of Uyghurs and other predominantly Muslim minorities” in China.
Translated by Mamatjan Juma for RFA Uyghur. Written in English by Roseanne Gerin. Edited by Malcolm Foster.