Western governments exposed over 100 Android apps used to surveil groups deemed a threat to China’s state interests.
What happened
A coalition of Western governments has identified and exposed dozens of seemingly legitimate Android apps that were actually spyware designed to surveil civil society groups that China viewed as potential threats to its state interests. The announcement came from the U.K.’s National Cyber Security Centre (NCSC), which worked in coordination with cybersecurity and intelligence agencies in the U.S., Australia, Canada, Germany, and New Zealand.
These apps were found to contain two strains of spyware, dubbed BadBazaar and Moonshine, both previously flagged by cybersecurity researchers for their surveillance capabilities.
Going deeper
According to the NCSC, BadBazaar and Moonshine functioned as trojan malware, allowing covert access to device features including the camera, microphone, messaging apps, photos, and real-time location data. These apps primarily targeted Uyghur Muslims, Tibetans, Taiwanese communities, and others involved in democracy advocacy or ethnic and religious movements that the Chinese state views as destabilizing.
The spyware was often disguised as popular or culturally tailored apps to improve their chances of being downloaded, such as Muslim and Buddhist prayer apps, as well as clones of Signal, Telegram, WhatsApp, and Adobe Acrobat PDF reader. In total, over 100 Android apps were identified as malicious. One iOS app, TibetOne, was also found to have been listed on Apple’s App Store in 2021.
These tools were deployed internationally and appear to have been carefully crafted to exploit the specific interests and needs of targeted communities.
What was said
In its advisory, the NCSC noted, “The apps specifically target individuals internationally who are connected to topics that are considered by the Chinese state to pose a threat to its stability.” The agency stated that individuals linked to Taiwanese independence, Tibetan rights, Uyghur Muslims, Hong Kong democracy movements, and Falun Gong were especially at risk.
As of publication, Google and Apple had not responded to requests for comment regarding their platforms’ roles in distributing the malicious apps.
The big picture
The revelation brings into sharp focus how ordinary apps can serve as tools of extraordinary control. Mobile devices, meant to connect and empower, are being turned against vulnerable communities in ways that are silent, targeted, and deeply invasive. These apps can be especially damaging for those already living under surveillance or in exile, who may now feel danger in the digital world. As governments call out these threats, the real challenge lies in addressing the global tech infrastructure that enables such spyware to thrive.
FAQs
How can users protect themselves from spyware disguised as legitimate apps
Only download apps from trusted developers, check reviews and permissions carefully, keep your device and apps updated, and use reputable mobile security tools.
Why are Android devices more commonly targeted than iOS?
Android allows app installations from third-party sources and has a more open ecosystem, making it easier for threat actors to distribute malicious apps outside the official Play Store.
What are the signs a phone may be compromised by spyware?
Common signs include unexpected battery drain, device overheating, high data usage, unusual behavior like pop-ups or app crashes, and microphone or camera activating without input.
Who is most at risk of being targeted by spyware apps?
Journalists, activists, minority groups, political dissidents, and anyone involved in sensitive political or human rights work are typically at higher risk.
What actions can tech platforms take to prevent the spread of spyware apps?
They can strengthen app vetting processes, improve detection of malicious behavior, provide clearer warnings about permissions, and respond more rapidly to threat intelligence shared by security agencies.
Farah Amod
