China Is Forcing Tourists To Install A Smartphone App That Steals Personal Data


In May, Human Rights Watch (HRW) exposed details of a smartphone app used by the police in Xinjiang to tightly monitor its oppressed citizens. App usage—including prohibited technologies such as WhatsApp and Viber—were flagged, and the technology was designed to draw automated inferences as to which citizens should be detained or investigated.

Now, a joint investigation by Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and Germany’s NDR has found that the use of smartphone surveillance is not limited to the local population, with foreigners crossing into Xinjiang “forced to install a piece of malware on their phones that gives all of their text messages as well as other pieces of data to the authorities.”

At a number of border crossings, guards take phones and install the malware—called BXAQ or Feng Cai—which scans the device for files against a target list, including “Islamic extremist content, but also innocuous Islamic material, academic books on Islam by leading researchers, and even music from a Japanese metal band.” Across more than 70,000 target files, the app was also found to be searching for installed copies of the Quran.

Penetration testing firm Cure53 on behalf of the Open Technology Fund, researchers at Citizen Lab from the University of Toronto, and researchers from the Ruhr University Bochum as well as theGuardian itself all provided insights about BXAQ. The app’s code also includes names such as “CellHunter” and “MobileHunter.”

Once installed on an Android phone, by “side-loading” its installation and requesting certain permissions rather than downloading it from the Google Play Store, BXAQ collects all of the phone’s calendar entries, phone contacts, call logs, and text messages and uploads them to a server, according to expert analysis. The malware also scans the phone to see which apps are installed, and extracts the subject’s usernames for some installed apps.

This smartphone app doesn’t dive as deeply as the local-targeting IJOP (Integrated Joint Operations Platform) app, through which the Xinjiang authorities can identify and label “many forms of lawful, every day, non-violent behavior—such as ‘not socializing with neighbors, often avoiding using the front door’—as suspicious.”

But the IJOP app also detects “51 network tools, including many Virtual Private Networks (VPNs) and encrypted communication tools, such as WhatsApp and Viber,” and here the parallels with the latest smartphone spying application are more obvious. And, just as with the locals, this latest app appears skewed towards Islamic visitors to the region.

“Most of the files that the journalists could identify were related to Islamic terrorism,” reported the New York Times. “ISIS recruitment materials in several languages, books written by jihadi figures, information about how to derail trains and build homemade weapons.” But, in addition to such prohibited material, “there were audio recordings of Quran verses recited by well-known clerics, the sort of material that many practicing Muslims might have on their phones, there were books about Arabic language and grammar, and a copy of ‘The Syrian Jihad,’ by the researcher Charles R. Lister.”

Last month, after a controversial visit to Xinjiang by the Russian head of the UN’s Counterterrorism Office, Beijing’s PR machine kicked into full effect (yet again), justifying the surveillance regime given the security context, with one UN diplomat telling Reuters that “China will, and is, actively saying that what they’re doing in Xinjiang is good terrorism prevention.”

Meanwhile, through state-controlled media, the Chinese government claimed that “while the West plays word games and a political game of ‘go’ on the Xinjiang question, the region’s governments at all levels are pursuing peace, stability and prosperity for all people living there. Time will prove the achievements of China’s governance in Xinjiang.”

Beijing has consistently attacked criticism of Xinjiang as “gross interference in China’s internal affairs,” and that will undoubtedly be the line taken this time around as well. The authorities will paint a picture of security and successful counter-terrorism. They will claim that the content targeted by this malware app is indicative of visitors who “might” represent a threat to the “peace and harmony” of the region. They will continue to obfuscate.

China has developed an unconstrained surveillance laboratory across Xinjiang, a province with a larger population than 22 of the European Union’s 28 member states. “Xinjiang affairs belong to China’s internal affairs,” a government spokesperson said after the HRW investigation. “Terrorism and extremism wantonly trample on basic human rights. The measures China has taken in Xinjiang are preventive anti-terrorism and de-radicalization efforts that are entirely conducted in accordance with the law to respect and protect human rights and have won extensive supports from people of all ethnic groups in Xinjiang.”

This latest smartphone malware app “provides yet another source of evidence showing how pervasive mass surveillance is being carried out in Xinjiang,” according to HRW’s Maya Wang, telling the reporters behind this latest exposure that “what you’ve found goes beyond that—it suggests that even foreigners are subjected to such mass, and unlawful surveillance.”