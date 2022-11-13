Two have been discovered surveillance campaigns long-lasting targeting the Uyghur community in China and elsewhere with Android spyware tools designed to collect sensitive information and track their location.

Thus discovered a previously undocumented strain of malware (even the major antivirus do not have the definitions) called BadBazaar and updated variants of a spying program dubbed MOONSHINE by researchers at the University of Toronto Citizen Lab in September 2019.

BadBazaar and MOONSHINE, what do we know about these spyware

“Mobile surveillance tools such as BadBazaar and MOONSHINE can be used to track many of the ‘pre-criminal’ activities, actions considered indicative of religious extremism or separatism by the Xinjiang authorities“, has Lookout affirmed in a detailed account of operations.

It appears that the BadBazaar campaign, according to the security company, dates back to late 2018 and includes 111 unique apps that masquerade as benign video players, messengers, even religion-related apps and even the TikTok spyware imitation.

Although these samples were distributed through social media platforms and Uyghur-language communication channels, Lookout investigating, nevertheless found a dictionary program called “Uyghur Lughat”On the Apple App Store communicating with a server used by its Android counterpart to gather basic information about the iPhone.

So does spyware also run on iPhones?

The iOS application, however, continues to be available on the App Store.

“As BadBazaar variants often acquire their surveillance skills by downloading updates from theirs [server di comando e controllo]it is possible that those who put out the threats hope to update the sample later [programma/app] iOS with similar surveillance capabilities“, The researchers highlighted.

BadBazaar, once installed, has several features that allow it to collect call logs, GPS positions, messages (SMS) and personal files of users; among other things it can also record phone calls, take photos, and “grab” the metadata present in the device.

Further analysis of BadBazaar’s source code infrastructure revealed overlaps with another spyware operation targeting the ethnic minority that came to light in July 2020 and used an Android toolset. called DoubleAgent.

Attacks using MOONSHINE, similarly, have employed over 50 malicious spyware applications since July 2022 designed to accumulate personal data from infected devices, as well as record audio and download dubious files.

“Most of these samples are Trojanized versions of popular social media platforms, such as WhatsApp or Telegram, or Trojanized versions of Muslim cultural applications, Uyghur language tools, or prayer programs.“Said the researchers.

Previous malicious cyber activities exploiting the MOONSHINE Android spyware kit have been attributed to an attacker who appears to match the nickname of POISON CARP (also called Evil Eye or Earth Empusa), a nation-state group based in China known for its attacks on Uyghurs.

Asked for an explanation, Google said that all Android applications are scanned by Google Play Protect before they are published on the store and that it regularly monitors application operations to identify policy violations.

“As a partner of App Defense Alliancewe regularly partner with Lookout and others to help keep Google Play safe“Said the tech giant. “The applications included in this report were never published on Google Play and were rejected by our team as part of our application review process“.

The results come just over a month after Check Point revealed the details of another surveillance operation long-standing targeting the Turkish Muslim community that has been distributing a trojan called MobileOrder since at least 2015.

“BadBazaar and these new variants of MOONSHINE add to the already large collection of unique surveillance programs used in campaigns to monitor and subsequently detain individuals in ChinaLookout said.

“The wide distribution of BadBazaar and MOONSHINE and the speed with which new features have been introduced indicate that the development of these families [di programmi] is ongoing and that there is a continuing demand for these tools“.

The development also follows a report from Google Project Zero last week, which uncovered evidence that an unnamed commercial surveillance provider was arming three zero-day security holes in Samsung phones with an Exynos chip running a 4.14 kernel. 113.

The security holes were capped by Samsung in March 2021.