Android malware

New BadBazaar Android malware linked to Chinese cyber spies

A previously undocumented Android spy tool named “Bazaar” has been discovered targeting ethnic and religious minorities in China, most notably the Uyghurs in Xinjiang.

The Uyghurs, a Muslim minority in the region with a population of about 13 million, have suffered extreme oppression from the Chinese central government because of its cultural deviation from typical Eastern Chinese values.

The new spyware was originally discovered by MalwareHunterTeam associated with Bahamut In VirusTotal Findings.

After further analysis by Lookout, the malware was found to be new spyware that uses the same infrastructure seen in the 2020 campaigns against Uyghurs by the state-backed hacking group. APT15 (aka “Betty Tiger).

In addition, Lookout observed a second campaign using new variants of “Moonshine”, a spyware that was discovered by Citizen Lab in 2019 while publishing against Tibetan groups.

BadBazaar details

BadBazaar spyware has used at least 111 different apps since 2018 to infect Uyghurs, promoting them on communication channels populated by a particular ethnic group.

The impersonated apps cover a wide range of categories, from dictionaries to companions of religious practices and from battery optimizers to video players.

Only a few BadBazaar apps have been upgraded to Uyghurs
Only a few BadBazaar apps have been upgraded to Uyghurs (Whatch out)

Lookout has not found any evidence of these apps reaching Google Play, the official Android app store, so it is likely that they are distributed via third-party stores or malicious sites.

Interestingly, there is one instance of the iOS app on the Apple App Store connecting to malicious C2, however it doesn’t feature spyware functionality, it just sends the device’s UDID.


BadBazaar’s data collection capabilities include:

  • Exact location
  • List of installed applications
  • Call logs with geolocation data
  • contact list
  • short message
  • Complete device information
  • WiFi information
  • Recording phone calls
  • take pictures
  • Theft of files or databases
  • Access to folders of high importance (photos, IM app logs, chat history, etc.)

Looking at the C2 infrastructure, which reveals some management boards and GPS coordinates of test devices due to errors, Lookout analysts have found links to Chinese defense contractor Xi’an Tian He Defense Technology.

New Moonshine variants

Beginning in July 2022, Lookout researchers have observed a new campaign using 50 apps that deliver new versions of the “Moonshine” spyware to victims.

These apps are promoted on Uyghur-speaking Telegram channels, where rogue users suggest them as trustworthy software to other members.

Sample of applications that carry Moonshine
Sample of applications that carry Moonshine spyware (Whatch out)

The latest version of the malware is still modular, and its authors have added more modules to extend the tool’s monitoring capabilities.

Data that Moonshine steals from hacked devices includes network activity, IP address, hardware information, and more.

Information collected by Moonshine
Information collected by Moonshine (Whatch out)

The C2 commands supported by the malware are:

  • Call Recording
  • Collect contacts
  • Recover files from a location specified by C2
  • Device location data collection
  • SMS theft
  • camera capture
  • microphone recording
  • Create a SOCKS Proxy
  • WeChat data collection

Lookout found evidence that the authors of the new Moonshine version are Chinese, with both code comments and server-side API documentation written in Simplified Chinese.

“While Lookout researchers have not been able to connect the malware client or infrastructure of a particular technology company, the malware client is a well-designed, full-featured monitoring tool that is likely to require significant resources.” – Whatch out.

This report indicates that surveillance of Chinese minorities continues unabated despite cry from the world human rights protection organizations.

#BadBazaar #Android #malware #linked #Chinese #cyber #spies

Leave a Comment

Your email address will not be published. Required fields are marked *