New BadBazaar Android malware linked to Chinese cyberspies

Android malware

A previously undocumented Android spyware tool called “BadBazaar” has been discovered targeting ethnic and religious minorities in China, particularly the Uyghurs of Xinjiang.

Uyghurs, a regional Muslim minority of about 13 million people, have suffered extreme oppression by the central Chinese government due to their cultural divergence from typical East China values.

The new spyware was originally discovered by MalwareHunterTeam and linked to Bahamut in VirusTotal detections.

Further analysis by Lookout revealed the malware to be new spyware using the same infrastructure used in 2020 campaigns against Uyghurs by state-backed hacking group APT15 (aka Pitty Tiger). .

In addition, Lookout observed a second campaign involving new variants of Moonshine, a spyware discovered by CitizenLab in 2019 when used against Tibetan groups.

BadBazaar details

The spyware BadBazaar has used at least 111 different apps since 2018 to infect Uyghurs and promote them on communication channels populated by each ethnic group.

The impersonated apps cover a wide range of categories, from dictionaries to religious practice guides and from battery optimizers to video players.

Few of the BadBazaar apps were promoted for Uyghurs
Few of the BadBazaar apps were promoted for Uyghurs (Danger)

Lookout found no evidence that these apps ever reached Google Play, Android’s official app store, so they are likely distributed via third-party stores or malicious websites.

Interestingly, there is a single instance in the Apple App Store of an iOS app that communicates with the malicious C2 but does not provide spyware functionality, only sending the device’s UDID.

JAR payload retrieved from BadBazaar
JAR payload retrieved from BadBazaar (Danger)

BadBazaar’s data collection capabilities include the following:

  • Accurate location
  • List of installed apps
  • Call logs with geolocation data
  • contact list
  • SMS
  • Complete device information
  • WiFi info
  • call recording
  • make photos
  • Exfiltrate files or databases
  • Access high interest folders (images, IM app logs, chat history, etc.)

Looking into the C2 infrastructure, which due to bugs reveals some of the admin panels and the GPS coordinates of test devices, Lookout analysts found ties to Chinese defense contractor Xi’an Tian He Defense Technology.

New Moonshine variants

As of July 2022, Lookout researchers noticed a new campaign involving 50 apps providing victims with new versions of “Moonshine” spyware.

These apps are promoted on Uyghur-language Telegram channels, where rogue users recommend them as trustworthy software to other members.

Examples of apps with Moonshine
Examples of apps with Moonshine spyware (Danger)

The newer malware version is still modular, and its authors have added more modules to expand the tool’s monitoring capabilities.

Data that Moonshine steals from compromised devices includes network activity, IP address, hardware information, and more.

Information Collected by Moonshine
Information Collected by Moonshine (Danger)

The C2 commands supported by the malware are:

  • call recording
  • Collection of contacts
  • Retrieve files from a location specified by the C2
  • Collect device location data
  • Exfiltrate SMS messages
  • camera shot
  • microphone recording
  • Set up SOCKS proxy
  • Collect WeChat data

Lookout found evidence that the authors of the new version of Moonshine are Chinese, as both code comments and server-side API documentation are written in Simplified Chinese.

“While Lookout researchers have not been able to tie the malware client or infrastructure to any specific technology company, the malware client is a well-built and full-featured monitoring tool that would likely have required significant resources.” – Caution.

This report indicates that despite outcry from international human rights organizations, surveillance of Chinese minorities continues unabated.