The UK’s National Cyber Security Centre (NCSC), the US’s National Security Agency (NSA) and the FBI, alongside Five Eyes partner agencies from Australia, Canada and New Zealand, and the German cyber authorities, have issued a series of advisories warning individuals at risk of hostile state surveillance to be alert to two spyware variants, dubbed Moonshine and BadBazaar.
So far, the malicious applications have been detected on the mobile devices of individuals considered to be of interest to the Chinese intelligence services. For now, their known victim profile appears to be limited to people associated with the Taiwanese, Tibetan and Uyghur Muslim communities, and other groups such as the Falun Gong movement.
However, given the scope of Beijing’s cyber espionage operations, they could easily be used against targets located in the West, conceivably including members of the Hong Kong diaspora and pro-democracy activists in the UK.
Moonshine and BadBazaar both employ a technique known as trojanising, whereby they hide their malicious functionality inside apparently legitimate applications, to access device functions such as microphones and cameras, location data, messages and photos.
“With our international and industry partners, we are committed to helping equip individuals at risk of online surveillance with the information they need to counter spyware threats,” said NCSC operations director Paul Chichester.
The NCSC urges people at higher risk to exercise heightened vigilance and follow our practical advice to help keep their devices and data safe Paul Chichester, NCSC
“We are seeing a rise in digital threats designed to silence, monitor and intimidate communities across borders, and the use of these two forms of spyware is clearly unacceptable.
“The NCSC urges people at higher risk to exercise heightened vigilance and follow our practical advice outlined in the advisory to help keep their devices and data safe,” added Chichester.
Skype and WhatsApp both targeted
Among the trojanised apps discovered by the Five Eyes agencies are compromised instances of Microsoft’s soon-to-be-discontinued Skype and Meta’s WhatsApp messaging services.
However, both Moonshine and BadBazaar have also been observed hiding within apps that the threat actor behind the spying campaign appears to have designed to lure in victims.
Among them is an application called TibetOne, an iOS app designed to support language learning that has the ability to access device information and location data. The app was uploaded to the App Store as long ago as December 2021, but is no longer available.
A second app identified, Audio Quran.apk, was used specifically to target members of the Uyghur Muslim community located in China’s remote western Xinjiang region with Moonshine. The Turkic Uyghurs have been subject to repression by the Chinese authorities, which has been described as genocide by the Americans. Like TibetOne, Audio Quran collected a wealth of information from its victims.
New advice
Besides the two new advisories – one containing guidance for potential victims, the other a technical breakdown of each spyware, including advice for app store operators, developers and social media companies – the NCSC has also shared four key steps that all individuals, regardless of their risk profile, should be taking to safeguard their devices.
Stay mainstream: Refrain from trying to jailbreak or root devices and only download applications from trusted app stores.
Stay organised: Audit your installed apps, and their permissions, on a regular basis.
Stay in touch: Report suspicious messages or files.
Stay safe: Be cautious on social media, and check and review shared files or links for malicious activity.
