Spyware accessing phone audio and cameras for data ‘of use to China’, NCSC warns
9 April 2025, 00:04
The apps inside legitimate software in a technique known as trojanising, cyber experts warn.
Uighur, Tibetan and Taiwanese communities across the world are being targeted by spyware apps combing data likely to be of value to China, UK cyber experts have warned.
Malicious software dubbed MOONSHINE and BADBAZAAR is accessing microphones, cameras, messages, photos and location data without users being aware, GCHQ’s National Cyber Security Centre (NCSC) said.
The apps hide inside legitimate software in a technique known as trojanising, and are being used specifically to target individuals internationally who are linked to issues considered by Beijing to pose a threat to its security, experts warn.
In new guidance, the NCSC, along with agencies in Australia, Canada, Germany, New Zealand and the US, is advising people to take four key steps to protect their devices.
People must “stay mainstream” by only using trusted app stores, “stay organised” by reviewing installed apps and permissions regularly, “stay in touch” by reporting suspicious files, and “stay safe” by checking shared files and links, it says.
The apps often mimic popular software, with some designed to appeal directly to victims.
Examples of software include “Tibet One” and “Audio Quran” apps, which support targets’ native languages and have been promoted in online forums frequented by intended users, as well as some apps imitating the likes of WhatsApp and Skype.
Data being collected is “almost certainly of value” to the Chinese government and could facilitate surveillance and harassment, cyber experts warn.
Civil society groups are also being targeted, according to the advisory.
The guidance was published jointly by the NCSC, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the German Federal Intelligence Service, the German Federal Office for the Protection of the Constitution, the New Zealand National Cyber Security Centre, the US Federal Bureau of Investigation and the US National Security Agency.
It says: “Although BADBAZAAR and MOONSHINE have been observed targeting Uighur, Tibetan and Taiwanese individuals, there are other malware that target other minority groups in China. Citizens from co-sealing nations, in China and abroad, who are perceived to be supporting causes that threaten regime stability are almost certainly under threat from mobile malware such as BADBAZAAR and MOONSHINE.
“The capability to capture location, audio and photo data almost certainly provides the opportunity to inform future surveillance and harassment operations by providing real-time information on the target’s activity.”
