Spyware targets Uyghurs by ‘disguising’ itself as Android apps – report | Uighurs
Cybersecurity researchers have discovered a spyware campaign that targets Uyghurs by “disguising” itself as Android apps, including messaging, prayer time apps and dictionaries, according to a new report from cloud security firm Lookout.
The spyware, which the researchers say is linked to a Chinese government-backed hacker group, can be used to track people using services that could be considered a “pre-crime” or that are seen by China as indications that someone is participating or will participate in religious extremist or separatist activities. “Pre-crime” activities include using a virtual private network (VPN) or sharing any kind of religious content and can lead to detention in a re-education camp.
The surveillance campaign primarily targets Uighurs in China, according to the report, but there is also evidence that those behind the campaign were looking to target Uighurs in Muslim-majority countries such as Afghanistan or Turkey. Turkey is home to the largest Uyghur diaspora outside of Central Asia with an estimated 50,000 Uyghurs living there.
China’s mass surveillance apparatus and its targeting of Uighurs has been well documented in recent years. Several Chinese surveillance and camera companies have been placed on the US entity list for complicity in human rights abuses. Some of these companies have applied for patents, developed or plan to develop features that would allow them to detect or set up alerts when someone who is a Uyghur is detected. The UN has also found that China is responsible for “serious human rights violations” against Uyghurs in Xinjiang.
In a statement to Bloomberg, Liu Pengyu, a spokesperson for the Chinese embassy in Washington, said: “We oppose wild guesses and malicious statements against China,” and that the country opposes “all forms of cyber attacks.”
Researchers say many of the apps with this spyware, which they’ve dubbed Badbazaar, collect device data including location; connectors; call logs; wifi information; and can also record phone calls and take pictures. The researchers also found that recent iterations of Moonshine, an Android exploit first discovered in 2019 by the University of Toronto’s Citizen Lab research group, implement spyware in popular apps including WhatsApp and Telegram as well as “versions of Muslim cultural apps, Uyghur tools, or prayer apps”.
The Android apps that mimic existing services are usually found in unofficial app stores because Google Play is blocked in China, according to the report, and are also spread through messaging services including Telegram.
Kristina Balaam, a threat intelligence researcher at Lookout, said this was one of the more sophisticated “malware families” they had seen because, in addition to collecting extensive data about people, the apps they either custom-build or infect are fully functional.
“Even cases where the threat actor has built a custom application, such as a third-party app store that they claim will let you download, such as a legal dictionary or other translation tools or prayer applications, they are actually fully built-out applications,” Balaam said.
“Or in the case of a trojanized version of Telegram, you can sign in with your actual Telegram account because it really is Telegram,” she continued. “It has just been trojanized by the threat actor to also install surveillance functionality on your device and collect information about who you talk to, your contacts, your photos and GPS data.”
The threat actors – malicious groups or individuals responsible for the security threats – are able to do this by using “the same source code from the legitimate app” to build the fake app, “it still talks to the server and allows you to log in, Balaam said.
A Telegram spokesperson, Remi Vaughn, said that Telegram had not been compromised and that the report referred to malicious apps pretending to be official.
“It is not possible for Telegram or any app to protect users if they download apps from unofficial app stores or third-party websites,” Vaughn said in a statement.
Bileam agreed that there was little companies could do to shut down these threat actors “because they tend to be pretty good at how they pivot to new platforms to distribute this malware”.
“So I think one of the things that we unfortunately just have to do as consumers is to be extra careful about the applications that we download,” she said. “It’s difficult if you’re in China because you don’t have access to any of the official app stores like Google Play. Otherwise, it’s pretty important not to download applications from social media, or applications that are shared through something like one of these Telegram channels.”