IT security analysts have uncovered two new surveillance spyware programs targeting Uyghurs in mainland China and abroad.
One campaign introduced a novel Android monitoring tool Lookout has dubbed BadBazaar, which shares infrastructure with other previously discovered Uyghur-targeted tools. The other tool uses updated variants of a previously publicized tool, MOONSHINE, discovered by Citizen Lab that targeted Tibetan activists in 2019.
Although there have been surveillance and detention campaigns against Uyghurs and other Turkish ethnic minorities for years, this issue has received increased international attention after a critical report by UN Human Rights Commissioner Michelle Bachelet in August 2022. The report pointed out that China may have committed crimes against humanity in its treatment of Uyghurs in the Xinjiang region. On October 31, 2022, 50 countries submitted a joint statement to the UN General Assembly expressing their concern about the “ongoing human rights violations against Uyghurs and other predominantly Muslim minorities in China.
Mobile monitoring tools
Mobile surveillance tools such as BadBazaar and MOONSHINE can be used to trace many of the “pre-criminal” activities, which are acts that Xinjiang authorities consider to indicate religious extremism or separatism. Activities that can result in a user being jailed include using a VPN, communicating with practicing Muslims abroad, using religious apps, and using certain messaging apps like WhatsApp that are popular outside of China.
BadBazaar and these new variants of MOONSHINE add to the already extensive collection of unique surveillance programs used in campaigns to monitor and then arrest people in China. Their continued development and proliferation on Uyghur-language social media platforms indicate that these campaigns are ongoing and that the attackers have successfully infiltrated online Uyghur communities to spread their malware.
BadBazaar
In late 2021, Lookout researchers came across a tweet from the @MalwareHunterTeam Twitter handle that referred to an English-Uyghur dictionary app that VirusTotal employees had flagged as malware. This is linked to Bahamut, a player mainly active in the Middle East.
Analyzing this sample, it became clear that this malware is instead associated with surveillance campaigns targeting Uyghurs and other Turkish ethnic minorities in China and abroad. Overlapping infrastructures and TTPs suggest these campaigns are linked to APT15, a China-backed hacking group also known as VIXEN PANDA and NICKEL. Lookout named this malware family BadBazaar in response to an early variant posing as a third-party app store called "APK Bazar". Bazar is a lesser-known spelling of Bazaar.
The malware disguises itself as Android apps
Lookout has since collected 111 unique samples of BadBazaar monitoring software, dating back to late 2018. More than 70 percent of these apps were found in Uyghur-language communication channels in the second half of 2022. The malware primarily disguises itself as a variety of Android apps, such as B. Battery managers, video players, radio apps, messaging apps, dictionaries and religious apps. The researchers have also found cases of apps pretending to be a harmless third-party app store for Uyghurs.
The campaign appears to be primarily aimed at Uyghurs in China. However, the researchers found evidence of a broader targeting of Muslims and Uyghurs outside of Xinjiang. For example, several of the samples we analyzed masqueraded as map apps for other countries with large Muslim populations, such as Turkey or Afghanistan. They also found that a small subset of apps were submitted to the Google Play Store, suggesting the attacker was interested in reaching Android device users outside of China if possible. Apparently, the apps discussed in this article were never distributed through Google Play.
extent of surveillance
BadBazaar seems to have been developed in an iterative process. Early variants bundled a payload, update.jar, inside the Android APK file and loaded it as soon as the app was launched. This process was later updated to produce samples with limited monitoring capabilities within the APK itself. The malware instead relies on the app's ability to update itself by calling its C2 server. However, in its most recent version, BadBazaar gets its payload solely by downloading a file from the C2 server on port 20121 and storing it in the app's cache directory. The Android monitoring tool is capable of collecting extensive device data:
- Location (latitude and longitude)
- List of installed packages
- Call logs and geo-coded location associated with the call
- Contact information
- Installed Android apps
- SMS information
- Extensive device information including model, language, IMEI, IMSI, ICCID (SIM serial number), phone number, time zone and centralized registration of user's online accounts
- WiFi Information (connected or not, and if connected, IP, SSID, BSSID, MAC, Netmask, Gateway, DNS1, DNS2)
- record telephone conversations
- take photos
- Data and database files from the SharedPreferences directory of the trojanized application
- Get a list of files on the device that end in .ppt, .pptx, .docx, .xls, .xlsx, .doc, or .pdf
- Folders of interest dynamically specified by the C2 server, including images from the camera and screenshots, attachments from Telegram, Whatsapp, GBWhatsapp, TalkBox, Zello, logs and chat histories
The malware client
While previous variants of the MOONSHINE client attempted to gain persistence and access to full permissions by exploiting other apps by replacing their native libraries, the latest samples neither request full permissions from the user upon installation nor attempt to use the native library files in messaging -Apps to replace. The "Score" parameter appears to be some kind of indicator that allows the attacker to decide how to proceed with the target device.
After connecting to the C2, the client can receive commands from the server to perform a variety of functions depending on the score generated for the device. The malware client is capable of:
- Recording of calls
- collecting contacts
- Retrieve files from a location specified by the C2
- Collecting Device Location Data
- SMS message exfiltration
- camera capture
- Recording from microphones
- Setting up a SOCKS proxy
- Collecting WeChat data from Tencent wcdb database files
Communication is sent over a secure websocket and is additionally encrypted prior to transmission using a custom method called serialize(), similar to the one used to encrypt the SharedPreferences configuration file.
Surveillance of the Uyghur population
Despite increasing international pressure, Chinese actors acting on behalf of the Chinese state are likely to continue to disseminate surveillance programs targeting Uyghur and Muslim mobile device users via Uyghur-language communication platforms. The widespread adoption of BadBazaar and MOONSHINE and the speed at which new features have been introduced suggest that development of these families will continue and that there is continued demand for these tools.
Mobile device users in these communities need to be extra careful when distributing apps through social media. Mobile device users outside of China should only download apps from official app stores such as Google Play or Apple App Store. Lookout security app users are protected from these threats. If users believe they are a target of mobile surveillance or need more information about these campaigns, they can view Lookout Threat Intelligence services or contact Lookout researchers.
More at Lookout.comwww.lookout.com
About Lookout Lookout co-founders John Hering, Kevin Mahaffey, and James Burgess came together in 2007 with the goal of protecting people from the security and privacy risks posed by an increasingly connected world. Even before smartphones were in everyone's pocket, they realized that mobility would have a profound impact on the way we work and live.
Matching articles on the topic