Spyware able to access phone audio and cameras for data ‘of use to China’, NCSC warns
Security agencies in the UK and allied countries have warned members of the Uyghur, Tibetan and Taiwanese communities that they may be targeted by newly discovered variants of spyware.
The UK’s National Cyber Security Centre (NCSC) has joined its counterparts in the US, Australia, Canada, Germany and New Zealand in raising the alarm over the Trojanised malware, which it says is hidden in legitimate-looking mobile apps such as TibetOne.
The two variants, dubbed Moonshine and BadBazaar, are designed to covertly access device microphones, cameras, messages, photos and real-time location data, according to the NCSC.
The agency warned that potential targets include individuals connected to: Taiwanese independence; Tibetan rights; Uyghur Muslims and other ethnic minorities in China’s Xinjiang Autonomous Region; pro-democracy advocates, including those from Hong Kong; and the Falun Gong spiritual movement.
Intelligence sources said the evidence appeared to suggest the Chinese state as the likely aggressor.
“We are seeing a rise in digital threats designed to silence, monitor and intimidate communities across borders, and the use of these two forms of spyware is clearly unacceptable,” said NCSC Director of Operations, Paul Chichester.
“The NCSC urges people at higher risk to exercise heightened vigilance and follow our practical advice outlined in the advisory to help keep their devices and data safe.”
TibetOne was reportedly an iOS app uploaded to Apple’s App Store in December 2021, but it is no longer available. It contained the BadBazaar spyware, which was used to target Uyghur, Tibetan and Taiwanese individuals.
A separate app, which translates to Audio Quran.apk, is an Android app with a Uyghur-language title. These apps are often promoted on online forums frequented by targets, the NCSC said. However, spyware has also been discovered in apps spoofing legitimate brands such as WhatsApp.
The NCSC and its international partners have published a technical analysis of the spyware, along with guidance for app store operators, developers and social media companies.
Their joint statement reads: “Although BADBAZAAR and MOONSHINE have been observed targeting Uyghur, Tibetan and Taiwanese individuals, other malware variants also target minority groups in China. Citizens from co-signing nations, both within China and abroad, who are perceived to be supporting causes that threaten regime stability, are almost certainly under threat from mobile malware such as BADBAZAAR and MOONSHINE.”
“The capability to capture location, audio and photo data almost certainly provides the opportunity to inform future surveillance and harassment operations by offering real-time information on the target’s activity.”
