Two long-running surveillance campaigns have been found targeting the Uyghur community in China and elsewhere with Android spyware tools designed to harvest sensitive information and track their whereabouts.
This encompasses a previously undocumented malware strain called BadBazaar and updated variants of an espionage artifact dubbed MOONSHINE by researchers from the University of Toronto’s Citizen Lab in September 2019.
“Mobile surveillance tools like BadBazaar and MOONSHINE can be used to track many of the ‘pre-criminal’ activities, actions considered indicative of religious extremism or separatism by the authorities in Xinjiang,” Lookout said in a detailed write-up of the operations.
The BadBazaar campaign, according to the security firm, is said to date as far back as late 2018 and comprise 111 unique apps that masquerade as benign video players, messengers, religious apps, and even TikTok.
While these samples were distributed through Uyghur-language social media platforms and communication channels, Lookout noted it found a dictionary app named “Uyghur Lughat” on the Apple App Store that communicates with a server used by its Android counterpart to gather basic iPhone information.
The iOS app continues to be available on the App Store.
“Since BadBazaar variants often acquire their surveillance capabilities by downloading updates from their [command-and-control server], it is possible the threat actor is hoping to later update the iOS sample with similar surveillance functionality,” the researchers pointed out.
BadBazaar, once installed, comes with several features that allow it to collect call logs, GPS locations, SMS messages, and files of interest; record phone calls; take pictures; and exfiltrate substantial device metadata.
Further analysis of BadBazaar’s infrastructure has revealed overlaps with another spyware operation aimed at the ethnic minority that came to light in July 2020 and which made use of an Android toolset called DoubleAgent.
Attacks employing MOONSHINE, in a similar vein, have put to use over 50 malicious apps since July 2022 that are engineered to amass personal data from the infected devices, in addition to recording audio and downloading arbitrary files.
“The majority of these samples are trojanized versions of popular social media platforms, like WhatsApp or Telegram, or trojanized versions of Muslim cultural apps, Uyghur-language tools, or prayer apps,” the researchers said.
Prior malicious cyber activities leveraging the MOONSHINE Android spyware kit have been attributed to a threat actor tracked as POISON CARP (aka Evil Eye or Earth Empusa), a China-based nation-state collective known for its attacks against Uyghurs.
When reached for comment, Google said that all Android apps are scanned by Google Play Protect prior to them being published on the app storefront, and that it regularly monitors the operations of apps to identify policy violations.
“As an App Defense Alliance partner, we regularly collaborate with Lookout and others in order to help keep Google Play safe,” the tech giant told The Hacker News. “The apps included in this report were never published on Google Play and were rejected by our team as part of our app review process.”
The findings come a little over a month after Check Point disclosed details of another long-standing surveillanceware operation aimed at the Turkic Muslim community that deployed a trojan named MobileOrder since at least 2015.
“BadBazaar and these new variants of MOONSHINE add to the already extensive collection of unique surveillanceware used in campaigns to surveil and subsequently detain individuals in China,” Lookout said.
“The wide distribution of both BadBazaar and MOONSHINE, and the rate at which new functionality has been introduced indicate that development of these families is ongoing and that there is a continued demand for these tools.”
The development also follows a report from Google Project Zero last week, which uncovered evidence of an unnamed commercial surveillance vendor weaponizing three zero-day security flaws in Samsung phones with an Exynos chip running kernel version 4.14.113. The security holes were plugged by Samsung in March 2021.
That said, the search giant said the exploitation mirrored a pattern similar to recent compromises where malicious Android apps were abused to target users in Italy and Kazakhstan with an implant referred to as Hermit, which has been linked to Italian company RCS Lab.