A coalition of government cybersecurity agencies from the United Kingdom, United States, Canada, Australia, New Zealand, and Germany has revealed dozens of Android apps containing spyware that were designed to target specific groups within civil society who are seen as threats to China’s state interests.
On Tuesday, the U.K.’s National Cyber Security Centre (NCSC), part of intelligence agency GCHQ, along with partner agencies from several allied governments, issued joint warnings regarding two particular spyware families identified as BadBazaar and Moonshine. The agencies warned that the spyware was embedded in apps disguised as legitimate, trustworthy utilities and messaging platforms, effectively turning them into covert surveillance tools.
According to authorities, the malicious apps granted perpetrators extensive access to user devices, enabling remote control over microphones and cameras as well as unrestricted access to sensitive data such as private messages, photographs, contacts, and location information.
Previous assessments by cybersecurity firms such as Lookout, Trend Micro, Volexity, and Citizen Lab have documented the operations and technical characteristics of these malware families. The surveillanceware specifically targeted Uyghur, Tibetan, and Taiwanese communities abroad, along with other groups labeled by the Chinese state as politically sensitive. Uyghurs, in particular, have been persistently subjected to hacking and surveillance campaigns due to their targeted status by the Chinese government, which has continued to face international criticism for human rights violations against ethnic minorities, especially in the Xinjiang Uyghur Autonomous Region.
According to the NCSC briefing, among the more than one hundred malicious apps identified were fake prayer applications aimed at Muslim and Buddhist communities, imitation versions of popular encrypted messaging apps such as Signal, Telegram, and WhatsApp, as well as fraudulent utility tools, including a fake Adobe Acrobat PDF reader.
Additionally, the authorities highlighted one specific app named TibetOne, which had previously appeared in Apple’s App Store in 2021, suggesting surveillance attempts were not limited solely to Android devices.
Neither Google nor Apple immediately provided comments in response to the findings outlined in this advisory.
