Chinese Border Authorities Forcing Surveillance Malware onto Tourists’ Phones – What Does this Mean for Organizational Data Security?

Tourists crossing the border into the Xinjiang region in China are being forced to install a piece of Chinese malware on their phones capable of downloading text messages and scanning over 70,000 different files, a collaboration by Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR has found. 

The Uighur population living in Xinjiang live under the constant gaze of aggressive security measures. These include facial recognition systems, CCTV, and physical searches by the Chinese government. Now we know that this hostile style of policing and surveillance has extended to foreigners too. It is believed that the files the authorities are looking for include Islamic extremist content. However, innocuous Islamic materials and ordinary communications are also logged by the app. 

The Chinese malware app, called BXAQ or Fengcai, is installed onto a visitor’s Android device when it is taken to be searched by border authorities when crossing the border by land from Central Asia. Instead of downloading from the Google Play Store, the app is sideloaded onto the device and configured by the board guards. The app is then able to collect all of the phone’s calendar entries, contacts, call logs and text messages which are compiled into a report and uploaded to a server, while the malware also scans the phone for over 73,000 different files. 

Screenshot of the app on the Android homescreen

Research teams from penetration testing firm Cure53, Citizen Lab at the University of Toronto, the Ruhr University Bochum, and the Guardian managed to uncover the inputs of approximately 1,300 of these files, many of which contain clearly extremist content. But the app was also found to scan for parts of the Quran, PDFs relating to the Dalai Lama, a music file from the Japanese metal band Unholy Grave, as well as the book The Syrian Jihad by leading terrorism scholar Charles Lister. 

It is believed that iPhone users were not spared the scrutiny of the authorities. According to reports, visitor’s iPhones were unlocked and connected via USB cable to a hand-held device at the border, however what the device did exactly could not be determined.

This news is highly alarming from both a human rights and data security perspective. “This is yet another example of why the surveillance regime in Xinjiang is one of the most unlawful, pervasive and draconian in the world”, Edin Omanovic, state surveillance programme lead at Privacy International said. Beyond this, it highlights the need to be aware of what is happening with our mobile devices and data at all times. For organizations, employees’ phones can potentially hold a multitude of sensitive data. Without knowledge of who has access to these devices and the data they hold, organizations are at serious risk of a data breach with catastrophic results. We know that there are bad actors out there trying to access data, so it is up to us to defend it. 

To find out more, visit www.corrata.com or email us at info@corrata.com.

For more industry news, insights and analysis – follow us on Twitter and LinkedIn!