Computer security researchers discover 2 new surveillance tools that target Uyghur mobile apps — Radio Free Asia

According to a new report, China hacked Uyghur-language mobile apps and infected users’ devices to further monitor the persecuted predominantly Muslim group in its northwestern Xinjiang region and other countries.

Researchers from California-based computer and network security firm Lookout’s Threat Lab have discovered two new surveillance tools they call BadBazaar and MOONSHINE targeting Uyghurs in China and abroad.

Both tools can be used to track activities considered indicative of religious extremism or separatism by authorities if Uighurs use virtual private networks or VPNs, communicate with Muslims abroad, or use messaging apps such as than WhatsApp which are popular outside of China, according to the reportwhich was released on November 1.

BadBazaar is a new Android monitoring tool that shares infrastructure with other previously detected Uyghur targeted tools described in a white paper 2020 issued by the Lookout Threat Intelligence team.

It masquerades as a variety of Android apps, such as battery managers, video players, radio apps, messaging apps, Uyghur language dictionaries, and religious apps.

According to the report, they collect location information, lists of installed packages, call logs and their associated geocoded locations, phone calls and contacts, installed Android apps, SMS information, mobile device information and Wi-Fi connection data.

The command and control server gives orders

MOONSHINE uses updated variations of a previously leaked tool discovered by Citizen Lab at the Munk School of Global Affairs & Public Policy at the University of Toronto and observed as targeting Tibetan activists in 2019.

It establishes a connection with a command and control server so that the malware can receive commands to perform different functions such as recording phone calls, collecting contact information, retrieving files, deleting SMS messages, capturing cameras and collecting data from social media apps. .

“BadBazaar and these new MOONSHINE variants add to the already extensive collection of unique surveillance software used in campaigns to monitor and subsequently detain individuals in China,” the report said.

“Their continued development and prevalence on Uyghur-language social media platforms indicate that these campaigns are ongoing and that threat actors have successfully infiltrated online Uyghur communities to distribute their malware,” he said. he declares.

Kristina Balaam, a Canadian-based security intelligence engineer and senior threat researcher at Lookout, told RFA that the first samples of use of the two surveillance tools date back to 2018.

“The malware samples we examine are becoming more and more sophisticated,” she told RFA. “They are introducing new features. They try to better hide where all the malicious features are in the source code. Hiding some of the malicious features has become more sophisticated in some of these latest variants. »

The researchers are confident that the malicious actors speak Chinese and appear to operate in accordance with the interests of the Chinese government, she said.

“So at least we suspect they are based in mainland China,” Balaam said.

Targeted Uyghur Diaspora

Abduweli Ayup, a Uyghur linguist who lives in Norway and runs a website documenting missing and imprisoned Uyghurs in Xinjiang, said Badam Uyghur Keyboard, an app he used for five years, triggered malware that allowed his mobile device from being hacked three times since 2017.

“China has apparently infected the apps that the Uyghur diaspora community uses the most, including Uyghur language learning apps, Uyghur keyboard apps, Arabic learning apps and [ones] for communications such as Skype [and] Telegram,” he told RFA. “This is a very serious situation. What is most alarming is the negligence of some Uyghurs [concerning] the problem of China infecting the apps they use with spyware. »

In response to the report’s findings, Uyghur cybersecurity expert Abdushukur Abdureshit told RFA that the apps include sophisticated data-stealing features that collect personal information, photos and phone numbers and send them to another server. .

“It is clear that the Chinese government is trying to control Uyghurs in exile by infecting the apps we frequently use with much more sophistication and less likelihood of discovering the spyware they contain,” he told FRG. “If our photos are stolen and where we go and sleep are monitored, and our phone logs and information are harvested, that means they know everything about us.”

He suggested that Uyghurs only download apps from credible sources, such as Google App Store, as Google ensures that all mobile apps it offers pass a security check and remove questionable ones.

Ubiquitous surveillance system

Uyghurs and other Turkish minorities living in Xinjiang have for years been subjected to a pervasive surveillance system that monitors their movements through the use of drones, facial recognition cameras and cell phone scans as part of the effort. of China to control the population.

A report on mass arbitrary detentions and invasive surveillance of Uyghurs in Xinjiang released in late August by the United Nations human rights chief has drawn more international attention to human rights abuses in Xinjiang. He said China may have committed crimes against humanity in its treatment of Uyghurs there.

On October 31, 50 countries, including the United States, submitted a statement to the United Nations General Assembly expressing concern over the “continued human rights violations of Uyghurs and other predominantly Muslim minorities”. in China.

Translated by Mamatjan Juma for RFA Uyghur. Written in English by Roseanne Gerin. Edited by Malcolm Foster.