Media: on the Chinese border tourists’ smartphones installed spyware

Journalists from Vice Motherboard, Süddeutsche Zeitung, The Guardian, The New York Times and the German broadcaster NDR discovered that while crossing the Chinese border, border guards install malware on smartphones of tourists.

Apparently, the problem is relevant only for the Xinjiang region, which has recently been in the center of another major scandal. Last year media became aware of a large-scale campaign launched for monitoring local Muslim population.

Now the press reports that spyware is being installed on mobile devices of tourists crossing the border in Xinjiang. So, local border guards ask tourists to unlock mobile gadgets, and then removed with them for inspection. For iPhone users, verification includes connecting a smartphone to a computer in order to examine memory content.

Apparently, during such checks, authorities are looking for files that fall under the definition of Islamist extremist content, as well as completely harmless materials, also related to Islam (including scientific works of leading researchers), and even the music of an unnamed Japanese band Unholy Grave.

However, for Android, everything goes even further, and the border guards install the BXAQ or Fēng cǎi spyware application on the devices, copies of which were obtained by the editors of Süddeutsche Zeitung and Motherboard. Two reporters from Süddeutsche Zeitung crossed the border altogether and received the same malicious program on his phone. Journalists have already posted a message on GitHub.

“[This app] is another proof that mass surveillance is carried out in Xinjiang. We already knew that residents of Xinjiang, especially Muslim Turks, are subject to round-the-clock and large-scale monitoring in the region. Nevertheless, our finding go beyond the limits. This proves that even foreigners are subject to the same massive and illegal supervision, ”says Maya Wang, a senior fellow at Human Rights Watch.

At the request of journalists, the spyware application was studied by Cure53 security experts (on behalf of the Open Technology Fund), Citizen Lab researchers from the University of Toronto, as well as specialists from the Ruhr University.

Analysis showed that after installation on the device, BXAQ collects all entries from the phone’s calendar, contact list, call logs and text messages, and then uploads them to a remote server. Malware also scans an infected device, examining which applications are installed on it, and in some cases retrieves user names from installed applications.

Interestingly, application does not try to hide from the user. Instead, an icon appears on the device screen, allowing to remove malware from the phone after using it. Obviously, the border guards themselves must delete the application, but they often forget to do it.

The experts also found more than 73,000 different files in the application hash code, which BXAQ scans. As a rule, it is difficult to compare such hashes with specific files, but researchers were able to identify about 1,300 of them. This was mainly done using Virus Total, but experts also found other copies of these files on the Internet.

Read also: Tips to delete

It turned out that many of the scanned files do contain explicitly extremist content, for example, publications of belonging to ISIS Rumiyah magazine. Surprisingly, application also searches for citations from the Quran, PDF files related to the Dalai Lama, and music files from the Japanese band Unholy Grave.

Another point in the “black list” files is book “Syrian Jihad”, written by Charles Lister, a leading researcher of terrorism, a senior researcher and head of the program on countering terrorism and extremism at the Institute of the Middle East. Lister told reporters that he had heard about such a thing for the first time, and suggested that the Chinese authorities consider any book that has the word “jihad” in its title to be potentially suspicious.

Neither the official representatives of the Chinese authorities, nor the representatives of the Ninjing FiberHome StarrySky Communication Development Company Ltd, which is partly owned by the state and developed the application, have not yet responded to the inquiries of journalists and did not comment this situation.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button