A previously undocumented Android spyware tool named ‘BadBazaar’ has been discovered targeting ethnic and religious minorities in China, most notably the Uyghurs in Xinjiang.
Uyghurs, a regional Muslim minority of roughly 13 million people, have suffered extreme oppression from the central Chinese government due to their cultural deviation from typical eastern Chinese values.
The new spyware was originally discovered by MalwareHunterTeam and linked to Bahamut in VirusTotal detections.
After further analysis by Lookout, the malware was found to be new spyware using the same infrastructure seen in 2020 campaigns against Uyghurs by the state-backed hacking group APT15 (aka “Pitty Tiger).
Additionally, Lookout observed a second campaign using new variants of ‘Moonshine,’ a spyware discovered by CitizenLab in 2019 while deployed against Tibetan groups.
BadBazaar details
The BadBazaar spyware has used at least 111 different apps since 2018 to infect Uyghurs, promoting them on communication channels populated by the particular ethnic group.
The impersonated apps cover a wide range of categories, from dictionaries to religious practice companions and from battery optimizers to video players.
Lookout has found no evidence of these apps ever reaching Google Play, Android’s official app store, so they are likely distributed via third-party stores or malicious websites.
Interestingly, there’s a single case of an iOS app on the Apple App Store that communicates with the malicious C2, yet it doesn’t feature spyware functionality, only sending the device UDID.
BadBazaar’s data-collecting capabilities include the following:
Precise location
List of installed apps
Call logs with geolocation data
Contacts list
SMS
Complete device info
WiFi info
Phone call recording
Take pictures
Exfiltrate files or databases
Access folders of high-interest (images, IM app logs, chat history, etc.)
Looking into the C2 infrastructure, which exposes some of the admin panels and the GPS coordinates of test devices due to errors, Lookout analysts found connections to the Chinese defense contractor Xi’an Tian He Defense Technology.
New Moonshine variants
Starting in July 2022, Lookout researchers noticed a new campaign using 50 apps that push new versions of the ‘Moonshine’ spyware to victims.
These apps are promoted on Uyghur-speaking Telegram channels, where rogue users suggest them as trustworthy software to other members.
The newer malware version is still modular, and its authors have added more modules to extend the tool’s surveillance capabilities.
The data Moonshine steals from compromised devices include network activity, IP address, hardware info, and more.
The C2 commands supported by the malware are:
Call recording
Contact collection
Retrieve files from a location specified by the C2
Collect device location data
Exfiltrate SMS messages
Camera capture
Microphone recording
Establish SOCKS proxy
Collect WeChat data
Lookout has found evidence that the authors of the new Moonshine version are Chinese, as both code comments and server-side API documentation are written in simplified Chinese.
“While Lookout researchers could not connect the malware client or infrastructure to a specific technology company, the malware client is a well-built and full-featured surveillance tool that would have likely required substantial resources.” – Lookout.