HQ/EMEAFind out how we can help your business
The ethnic and religious minority groups in China, including the Uyghurs from Xinjiang, have reportedly been targeted by a threat group deploying an Android spyware tool dubbed ‘BadBazaar.’ The discovery of this campaign has led to experts associating it with a 2020 cyberattack campaign against Uyghurs, performed by the APT15 or the Pitty Tiger.
Since 2018, the spyware operators have used over a hundred mobile applications to target members of Uyghurs. These malicious apps were commonly promoted on communication channels where most Uyghurs members dwell.
The researchers stated that the malicious applications infected with the BadBazaar spyware range from dictionaries and religious communication platforms to battery optimisers and video players.
Upon examining the Google Play Store, the security researchers said they had not found any malicious apps in the official Android app store, implying that they are propagated through third-party sources or hacker-controlled websites.
Based on the BadBazaar spyware analysis, its capabilities include collecting location, list of installed apps on the victim’s device, call logs, contacts list, text messages, complete device info, WiFi details, recording phone calls, taking photos, stealing files, and accessing folders.
Besides deploying the BadBazaar spyware, researchers also found another new threat campaign using new strains of the ‘Moonshine’ spyware, launched against Tibetan groups in 2019.
These recent Moonshine spyware campaigns involved the threat actors using about 50 malicious Android applications to push the new versions of the spyware against its targets.
Like BadBaazar, the Moonshine spyware is also marketed on messaging channels where most Uyghurs members gather. The threat operators promote the apps to the targets by describing them as trustworthy, thus gaining their trust in installing them on their devices.
The analysts also stated that the Moonshine spyware could steal data from compromised devices, such as IP addresses, network activities, and hardware information. Evidence also showed that the new Moonshine version’s authors were Chinese based on its code comments and server-side API documentation written in simplified Chinese.
Despite the minority groups’ protests to protect them against cyber surveillance, these reports imply that threat actors are still relentlessly attacking them.
