Two long-running surveillance campaigns have been found targeting the Uyghur community in China and elsewhere with Android spyware tools designed to harvest sensitive information and track their whereabouts.
This encompasses a previously undocumented malware strain called BadBazaar and updated variants of an espionage artifact dubbed MOONSHINE by researchers from the University of Toronto’s Citizen Lab in September 2019.
“Mobile surveillance tools like BadBazaar and MOONSHINE can be used to track many of the ‘pre-criminal’ activities, actions considered indicative of religious extremism or separatism by the authorities in Xinjiang,” Lookout said in a detailed write-up of the operations.
The BadBazaar campaign, according to the security firm, is said to date as far back as late 2018 and comprise 111 unique apps that masquerade as benign video players, messengers, religious apps, and even TikTok.
While these samples were distributed through Uyghur-language social media platforms and communication channels, Lookout noted it found a dictionary app named “Uyghur Lughat” on the Apple App Store that communicates with a server used by its Android counterpart to gather basic iPhone information.
The iOS app continues to be available on the App Store.
“Since BadBazaar variants often acquire their surveillance capabilities by downloading updates from their [command-and-control server], it is possible the threat actor is hoping to later update the iOS sample with similar surveillance functionality,” the researchers pointed out.
BadBazaar, once installed, comes with several features that allow it to collect call logs, GPS locations, SMS messages, and files of interest; record phone calls; take pictures; and exfiltrate substantial device metadata.
Further analysis of BadBazaar’s infrastructure has revealed overlaps with another spyware operation aimed at the ethnic minority that came to light in July 2020 and which made use of an Android toolset called DoubleAgent.
Attacks employing MOONSHINE,
