A previously undocumented Android spyware tool called “BadBazaar” has been discovered targeting ethnic and religious minorities in China, particularly the Uyghurs of Xinjiang.
Uyghurs, a regional Muslim minority of about 13 million people, have suffered extreme oppression by the central Chinese government due to their cultural divergence from typical East China values.
The new spyware was originally discovered by MalwareHunterTeam and linked to Bahamut in VirusTotal detections.
Further analysis by Lookout revealed the malware to be new spyware using the same infrastructure used in 2020 campaigns against Uyghurs by state-backed hacking group APT15 (aka Pitty Tiger). .
In addition, Lookout observed a second campaign involving new variants of Moonshine, a spyware discovered by CitizenLab in 2019 when used against Tibetan groups.
The spyware BadBazaar has used at least 111 different apps since 2018 to infect Uyghurs and promote them on communication channels populated by each ethnic group.
The impersonated apps cover a wide range of categories, from dictionaries to religious practice guides and from battery optimizers to video players.
Lookout found no evidence that these apps ever reached Google Play, Android’s official app store, so they are likely distributed via third-party stores or malicious websites.
Interestingly, there is a single instance in the Apple App Store of an iOS app that communicates with the malicious C2 but does not provide spyware functionality, only sending the device’s UDID.
BadBazaar’s data collection capabilities include the following:
- Accurate location
- List of installed apps
- Call logs with geolocation data
- contact list
- Complete device information
- WiFi info
- call recording
- make photos
- Exfiltrate files or databases
- Access high interest folders (images, IM app logs, chat history, etc.)
Looking into the C2 infrastructure, which due to bugs reveals some of the admin panels and the GPS coordinates of test devices, Lookout analysts found ties to Chinese defense contractor Xi’an Tian He Defense Technology.
New Moonshine variants
As of July 2022, Lookout researchers noticed a new campaign involving 50 apps providing victims with new versions of “Moonshine” spyware.
These apps are promoted on Uyghur-language Telegram channels, where rogue users recommend them as trustworthy software to other members.
The newer malware version is still modular, and its authors have added more modules to expand the tool’s monitoring capabilities.
Data that Moonshine steals from compromised devices includes network activity, IP address, hardware information, and more.
The C2 commands supported by the malware are:
- call recording
- Collection of contacts
- Retrieve files from a location specified by the C2
- Collect device location data
- Exfiltrate SMS messages
- camera shot
- microphone recording
- Set up SOCKS proxy
- Collect WeChat data
Lookout found evidence that the authors of the new version of Moonshine are Chinese, as both code comments and server-side API documentation are written in Simplified Chinese.
This report indicates that despite outcry from international human rights organizations, surveillance of Chinese minorities continues unabated.