China Is Installing Android Malware on Tourists’ Phones
China has famously invasive security and surveillance operations, but activists report at least one region of the country has gotten even more Orwellian. Multiple news agencies have joined forces to analyze a new piece of malware, which Chinese border agents are forcing tourists to install on their phones. The software copies messaging, contacts, and searches phones for thousands of different documents.
Tourists report they’ve encountered this new device search when entering the Xinjiang region, which is home to the Uighur population. Millions of these ethnically Turkic Muslims live in China, almost all of them in Xinjiang. Beijing has been openly hostile toward the Uighur for years, including the use of mass surveillance and detention camps. The new malware, known as BXAQ or Fengcai, seems aimed at tracking Uighur populations and their sympathizers.
Crossing the border into Xinjiang can take the better part of a day due to the heavy security. As part of the process, visitors must surrender their smartphones for search. Motherboard, the Guardian, and the New York Times worked together to get a sample of the Fengcai app and have it analyzed by security firms like Süddeutsche Zeitung and Cure53. There’s nothing clever about the malware itself — it doesn’t exploit any security holes or vulnerabilities. However, it does extract a huge amount of information.
Fengcai is a standard Android app, but it has a huge number of sensitive permissions (see below), and it abuses those permissions to the extreme. Border agents have to side-load the app, which means bypassing several layers of protection that prevent users from accidentally installing unverified apps. After installation, the app copies the phone’s messaging history, calendar entries, contacts, and account details to a Chinese server.
After copying data, Fengcai searches the phone’s storage for more than 70,000 documents. Some of those are extremist Islamic material, but just as much of it is innocuous content like the Quran, information about the Dalai Lama, and scholarly books on the Islamic world. It even looks for songs by a Japanese metal band called Unholy Grave, which has a song about Taiwan.
Fengcai is designed to be uninstalled after collecting data — there’s even a large “uninstall” button in the app. It would appear border guards aren’t bothering to make people remove it, though. Motherboard has uploaded a copy of the Android APK to GitHub, but you probably shouldn’t install it. There are no reports of Fengcai being forced on tourists in other regions of China, but it wouldn’t be surprising to see something similar show up.