China Adds App Fakery To Its Bag Of Oppression Tricks
The Chinese government hates its Muslim residents. It won't even pretend otherwise. The Uyghur Muslim population has been targeted for years, resulting in disappearances, violence, oppressive surveillance, and other efforts that demonstrate that finding the country's EXIT" sign isn't even an option.
It's everything we've come to hate about China, albeit something that follows a couple of decades of the Chinese government pretending to play nice to ensure its manufactured products find willing purchasers pretty much everywhere else in the world.
And the purchasers have played along. Even the UN has pitched in to help China oppress certain citizens. Countries on the receiving end of the supply chain are unwilling to call it quits with a violent, bigoted government. The outrage directed at the Chinese government by world governments is mostly performative, limited to ineffectual efforts that won't provoke China into calling in markers on all the foreign government debt it owns.
The only surprise in this report from the security researchers at Lookout is why the Chinese government is even bothering to disguise its methods.
In late 2021, Lookout researchers encountered a tweet from Twitter handle @MalwareHunterTeam referencing an English-Uyghur dictionary app that had been flagged by VirusTotal contributors as malware tied to Bahamut, a threat actor primarily active in the Middle East. While analyzing this sample, it became clear that this malware was instead connected to surveillance campaigns targeting Uyghurs and other Turkic ethnic minorities in China and abroad. Overlapping infrastructure and TTPs indicate these campaigns are connected to APT15, a Chinese-backed hacking group that's also known as VIXEN PANDA and NICKEL. We named this malware family BadBazaar in response to an early variant that posed as a third-party app store titled APK Bazar."
The research has continued, resulting in this conclusion:
Over 70% of these apps were found in Uyghur-language communication channels within the second half of 2022.
Given the years of oppression, the remaining, un-incarcerated-for-life members of this community are understandably suspicious of apps they don't recognize. Given the Chinese government's enthusiasm for pervasive surveillance, Uyghur residents may decide to find alternate routes for communications. Plenty of local options are obviously out of the question. And that's why the government is now impersonating apps to ensure Muslim residents stay under the government's thumb. Here are just some of the apps the spyware impersonates (screenshot via Lookout):
The subterfuge appears to be necessary for the government to talk Muslim minorities into implicating themselves in bogus crimes the Chinese government can utilize to vanish them away forever. And it's not just limited to Muslims in China. This particular impersonation goes beyond China's borders to target Muslims in nearby countries.
Specifically, several of the samples we analyzed masqueraded as mapping apps for other countries with significant Muslim populations, like Turkey or Afghanistan. We also found that a small subset of apps were submitted to the Google Play store, indicating that the threat actor was interested in targeting Android device users outside of China, if possible.
If there's any upside, it appears none of these variants were distributed by Google's Play Store. But if that store is not an option (and it isn't in China), users go elsewhere. And when they do that, they run a greater risk of downloading malicious software, rather than the apps they are seeking.
The surveillance software masquerading as common phone apps is extremely powerful. Lookout researchers report the variants they've seen can collect location data and access call logs and contact lists. They also can extract device-identifying info (IMEI, IMSI, etc.), Wi-Fi connections, and files stored on the device. On top of that, the malware can record phone calls and take pictures, completely compromising device users who've inadvertently installed the spyware.
This malware has been observed before by the researchers. But, as of July 2022, the malware has shifted to specifically target Muslims by spoofing apps most commonly used by the Muslim community. In addition to infecting targets sideloading apps (due to Google Play's unavailability), victims have reported being targeted with messages containing links to harmful spoofs via services like Telegram and WhatsApp. (Fun fact: the US Defense Department loves targeting Muslim-focused apps too!)
The researchers don't specifically name the Chinese government as the originator of these spoofed apps and subsequent infections. But they do point out most of this activity has been traced to Chinese threat actors" operating on behalf of the government. And that's just a layer of implausible deniability. The Chinese government wants its Muslim minority gone, if not just dead. That it's decided to engage in app-based oppression rather than genocide is perhaps commendable. But only because people have tended to take a dim view of genocide for the last 150 years or so. The Chinese government is evil. Just because it has somewhat pivoted to app fakery doesn't mean it's any less of a threat to its own people.