NCSC shares technical details of spyware targeting Uyghur, Tibetan and Taiwanese groups

The U.K.’s National Cyber Security Centre and international cybersecurity and intelligence agencies on Wednesday said hackers are deploying two forms of previously identified spyware to snoop on Uyghur, Tibetan and Taiwanese individuals and civil society organizations.

The surveillance software — labeled MOONSHINE and BADBAZAAR — breaks into device microphones and cameras and harvests messages, photos and location data, allowing users to be monitored in real time without their knowledge.

The NCSC, part of the U.K.’s GCHQ intelligence agency, as well as international government and industry partners, uncovered the technical underpinnings of the surveillance software and offered guidance and technical analysis to cybersecurity experts and app store operators and developers.

Spyware-infected apps are being used to target individuals and organizations worldwide who are tied to activities “considered by the Chinese state to pose a threat to its stability,” NCSC said in a press release.

Device owners who are thought to be most at risk of targeting are those tied to Taiwan’s independence movement, Tibetan rights organizations and Uyghur Muslims. Ethnic minorities in or from China’s Xinjiang Uyghur Autonomous Region, those advocating for democracy and members of the Falun Gong faith are also believed to be at risk.

Some of the apps mimic popular platforms like WhatsApp and Skype, while others have been set up as standalone platforms to attract interest from potential victims in the targeted communities. 

Two standalone apps, Tibet One and Audio Quran, are available in users’ native languages and are pushed in online gathering places known to attract members of the targeted communities. 

For example, hackers shared the Tibet One app in Telegram channels focused on the region and in relevant Reddit forums, NCSC said.

Tibet One is an iOS app which was uploaded to the Apple App Store in December 2021 but has since been removed. The NCSC said “malicious actors” created the app as a vehicle for infecting users' devices with BADBAZAAR spyware.

The Audio Quran app uses MOONSHINE spyware to track Uyghurs, NCSC said, creating trust by using the Uyghur language in the file name and describing itself as containing content related to the Quran, the main religious text of Islam.

Taiwan has never been governed by China, but Beijing has made it clear that it wants to unify the country with the mainland and is considering military force to do so.

The Uyghurs are a Muslim minority in China. The Chinese government has reportedly held over a million Uyghurs in reeducation camps for nearly a decade.

Parts of Tibet are an autonomous region within China, whose government has cracked down on an independence movement there.

“We are seeing a rise in digital threats designed to silence, monitor, and intimidate communities across borders,” NCSC Director of Operations Paul Chichester said in a statement.

The NCSC is warning at-risk populations to only use known app stores, check apps once installed and routinely review permissions, report questionable messages and files and carefully inspect shared files and links on social media.