IT security researchers find 2 new surveillance tools targeting Uyghur mobile apps


China has hacked Uyghur-language mobile apps and infected users’ devices to further track the persecuted predominantly Muslim group in the northwestern region of Xinjiang and other countries, according to a new report.

Researchers at the Threat Lab of California-based computer and network security firm Lookout have discovered two new surveillance tools they call BadBazaar and MOONSHINE that target Uyghurs in China and abroad.

The two tools can be used to monitor activities deemed by authorities to be indicative of religious extremism or separatism if Uyghurs use virtual private networks or VPNs, communicate with Muslims abroad, or use messaging apps like WhatsApp that are popular outside of China. according to the reportwhich was published on November 1.

BadBazaar is a new Android surveillance tool that shares infrastructure with other previously detected Uyghur-targeted tools described in a White paper 2020 released by Lookout’s Threat Intelligence team.

It masquerades as a variety of Android apps such as battery managers, video players, radio apps, messaging apps, Uyghur dictionaries, and religious apps.

They collect location information, lists of installed packages, call logs and their associated geocoded locations, phone calls and contacts, installed Android apps, SMS information, mobile device information and Wi-Fi connection data, according to the report.

Command-and-control server issues orders

MOONSHINE uses updated variants of a previously revealed tool discovered by citizen laboratory from the Munk School of Global Affairs & Public Policy at the University of Toronto and observed to target Tibetan activists in 2019.

ALSO READ  Nearly 800 properties seized by junta for alleged links to armed resistance

It establishes a connection to a command-and-control server so that the malware can receive commands to perform various functions such as recording phone calls, collecting contact information, retrieving files, deleting text messages , capturing cameras and collecting data from social media apps .

“BadBazaar and these new variants of MOONSHINE add to the already extensive collection of unique surveillance software used in campaigns to monitor and then detain individuals in China,” the report said.

“Their continued development and presence on Uyghur-language social media platforms indicate that these campaigns are ongoing and that the attackers have successfully penetrated Uyghur communities online to spread their malware,” it said.

Kristina Balaam, a Canada-based security intelligence engineer and senior threat researcher at Lookout, told RFA that the first use cases of the two surveillance tools date back to 2018.

The malware samples we look at are getting more and more sophisticated,” she told RFA. “They introduce new functionality. They try better to hide where all the malicious functionality is in the source code. Hiding some of the malicious functionality has become more sophisticated in some of these later variants.”

ALSO READ  Bob Iger's quick start as CEO of Disney is welcome news for shareholders like us

Investigators are confident that the malicious actors speak Chinese and appear to be operating in line with the interests of the Chinese government, she said.

“So we at least suspect they’re based in mainland China,” Balaam said.

Uyghur diaspora target

Abduweli Ayup, a Uyghur linguist living in Norway who runs a website that documents missing and imprisoned Uyghurs in Xinjiang, said Badam Uyghur Keyboard, an app he used for five years, released malware that allowed his mobile device to be locked three times since 2017. hacked.

“China has apparently infected the apps that the Uyghur diaspora community uses most, including Uyghur language learning apps, Uyghur keyboard apps, Arabic learning apps and [ones] for communication such as Skype [and] Telegram,” he told RFA. “This is a very serious situation. Most disturbing is the negligence of some Uyghurs [concerning] the problem of China infecting the apps they use with spyware.”

Commenting on the report’s findings, Uyghur cybersecurity expert Abdushukur Abdureshit told RFA that the apps contain sophisticated data-stealing features that collect personal information, photos and phone numbers and send them to another server.

“It is clear that the Chinese government is trying to control the exiled Uyghurs by infecting the apps we frequently use with much more sophistication and less chance of detecting the spyware in them,” he told RFA. “If our photos are stolen and where we go and sleep are monitored, and our phone logs and information are harvested, that means they know everything about us.”

ALSO READ  Shanghai hit by COVID protests as anger spreads across China

He suggested that Uyghurs only download apps from credible sources, such as the Google App Store, because Google ensures that all mobile apps it offers pass a security check and removes questionable apps.

Pervasive surveillance system

Uyghurs and other Turkic minorities living in Xinjiang have for years been subject to a pervasive surveillance system that tracks their movements through the use of drones, facial recognition cameras and mobile phone scans as part of China’s efforts to control the population.

A report on mass arbitrary detentions and invasive surveillance of Uyghurs in Xinjiang released by the United Nations human rights chief in late August increased international attention to human rights violations in Xinjiang. It said China may have committed crimes against humanity in its treatment of Uighurs there.

On October 31, 50 countries, including the United States, submitted a statement to the UN General Assembly expressing concern over China’s “ongoing human rights violations against Uighurs and other predominantly Muslim minorities.”

Translated by Mamatjan Juma for RFA Uyghur. Written in English by Roseanne Gerin. Edited by Malcolm Foster.