News regarding China’s exploitative and invasive surveillance techniques and policies against its citizens has become commonplace for cybersecurity readers; however, this time, a collaboration between investigative journalists from different global news sites has found that Chinese authorities are also forcing tourists entering Chinese cities to install malware that can read all their text messages.
According to the report from then collaborative investigation of Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR, foreigners crossing the Chinese border entering the province of Xinjiang region are being forced to install spyware that can effectively eavesdrop to everything a user does in his phone. The data that can be collected by the said malware including text messages, calendar entries, and phone logs, as well as scans the device for over 70,000 different files.
The Android malware, called BXAQ or Fengcai — which is installed by the border guard after the phone is seized for inspection — is capable of scanning the phone’s files for specific data. The records they are looking for include Islamic extremist content, but also innocuous Islamic material, academic books on Islam by leading researchers, and even music from a Japanese metal band.
Once installed on an Android phone, by “side-loading” its installation and requesting specific permissions rather than downloading it from the Google Play Store, BXAQ collects all of the phone’s calendar entries, phone contacts, call logs, and text messages and uploads them to a server, according to expert analysis. The malware also scans the phone to see which apps are installed and extracts the subject’s usernames for some installed apps.
“This is yet another example of why the surveillance regime in Xinjiang is one of the most unlawful, pervasive, and draconian in the world,” Edin Omanovic, state surveillance program lead at Privacy International said.
“Modern extraction systems take advantage of this to build a detailed but flawed picture into people’s lives. Modern apps, platforms, and devices generate huge amounts of data which people likely aren’t even aware of or believe they’ve deleted, but which can still be found on the device. This is highly alarming in a country where downloading the wrong app or news article could land you in a detention camp,” he added.
Xinjiang’s anti-Islamic campaign
The Uighur population in Xinjiang, who live under the constant gaze of facial recognition systems, CCTV, and physical searches, have since been terrorized by the government in its anti-Islamic campaign. Human rights abuses have been recorded in the city and have targeted the local Muslim community.
“[This app] provides yet another source of evidence showing how pervasive mass surveillance is being carried out in Xinjiang. We already know that Xinjiang residents—particularly Turkic Muslims—are subjected to round-the-clock and multidimensional surveillance in the region,” Maya Wang, China senior researcher at Human Rights Watch, said. “What you’ve found goes beyond that: it suggests that even foreigners are subjected to such mass and unlawful surveillance.”
This raises the alarm as this is the first recorded evidence that Chinese city government’s invasive and problematic surveillance campaigns also include foreigners and tourists.
Similar Android malware app forced on Chinese citizens
The discovery of this surveillance technique isn’t new to reporters, especially if they’re talking about China. Only recently, a journalist has discovered that Chinese law enforcement is also forcing their citizens to install Android malware that could scan their phones and read their messages and other communication data.
Cybersecurity experts in three different separate research have confirmed the existence of a new surveillance tool used by Chinese police to spy on their citizen, including a new technique that they employ to collect alarming amounts of data.
The tool, MFSocket, can be installed in both Android and iOS devices but not by the users — but by the police. This means that for the tool to be installed on the user’s phone, they have to contact the police, go to the police station, and have them install the app for them.
According to the journalist, people in Chinese social networks have been reporting incidents of police checking people’s phone in Beijing and Shanghai, and her investigation leads her to the questionable application.
The type of communication system used in the app allows policemen to collect sensitive data from users without them knowing. These data includes contacts, SMS, call log, locations, apps, audio files, image files, calendar events, among others.
Additionally, the data collected by the police aren’t just simple data. The researchers also discovered that the app includes data modules which allow the app to dive deep into the phone to extract detailed information. In AudioMsgModule, they collect the title, album, artist, the date a user added the audio files that are saved in the user’s phone. In CalendarMsgModule, they are extracting all the information contained in a users’ calendar: title of the event, location, description, start time, end time, and many others.