A previously undocumented Android spyware tool named ‘BadBazaar’ has been discovered targeting ethnic and religious minorities in China, most notably the Uyghurs in Xinjiang.
Uyghurs, a regional Muslim minority of roughly 13 million people, have suffered extreme oppression from the central Chinese government due to their cultural deviation from typical eastern Chinese values.
After further analysis by Lookout, the malware was found to be new spyware using the same infrastructure seen in 2020 campaigns against Uyghurs by the state-backed hacking group APT15 (aka “Pitty Tiger).
Additionally, Lookout observed a second campaign using new variants of ‘Moonshine,’ a spyware discovered by CitizenLab in 2019 while deployed against Tibetan groups.
The BadBazaar spyware has used at least 111 different apps since 2018 to infect Uyghurs, promoting them on communication channels populated by the particular ethnic group.
The impersonated apps cover a wide range of categories, from dictionaries to religious practice companions and from battery optimizers to video players.
Interestingly, there’s a single case of an iOS app on the Apple App Store that communicates with the malicious C2, yet it doesn’t feature spyware functionality, only sending the device UDID.
BadBazaar’s data-collecting capabilities include the following:
- Precise location
- List of installed apps
- Call logs with geolocation data
- Contacts list
- Complete device info
- WiFi info
- Phone call recording
- Take pictures
- Exfiltrate files or databases
- Access folders of high-interest (images, IM app logs, chat history, etc.)
Looking into the C2 infrastructure, which exposes some of the admin panels and the GPS coordinates of test devices due to errors, Lookout analysts found connections to the Chinese defense contractor Xi’an Tian He Defense Technology.
New Moonshine variants
Starting in July 2022, Lookout researchers noticed a new campaign using 50 apps that push new versions of the ‘Moonshine’ spyware to victims.
These apps are promoted on Uyghur-speaking Telegram channels, where rogue users suggest them as trustworthy software to other members.
The newer malware version is still modular, and its authors have added more modules to extend the tool’s surveillance capabilities.
The data Moonshine steals from compromised devices include network activity, IP address, hardware info, and more.
The C2 commands supported by the malware are:
- Call recording
- Contact collection
- Retrieve files from a location specified by the C2
- Collect device location data
- Exfiltrate SMS messages
- Camera capture
- Microphone recording
- Establish SOCKS proxy
- Collect WeChat data
Lookout has found evidence that the authors of the new Moonshine version are Chinese, as both code comments and server-side API documentation are written in simplified Chinese.
“While Lookout researchers could not connect the malware client or infrastructure to a specific technology company, the malware client is a well-built and full-featured surveillance tool that would have likely required substantial resources.” – Lookout.