Long-running surveillance campaigns target Uighurs with BadBazaar and MOONSHINESecurity Affairs spyware

Lookout researchers uncovered two long-running surveillance campaigns targeting the Uyghur ethnic minority.

Researchers from mobile security firm Lookout uncovered two long-running surveillance campaigns targeting the Uyghur minority. Threat actors behind the campaigns used two Android spyware to spy on victims and steal sensitive information.

The campaigns involved new malware called BadBazaar and new variants of the CONTRABAND ALCOHOL monitoring software discovered by Citizen Lab in 2019 and used in attacks against Tibetan militants.

The BadBazaar campaign investigation began in late 2021 and is based on a tweet by @MalwareHunterTeam research team that referred to a malicious English-Uyghur dictionary application.

The malicious app was linked to surveillance campaigns targeting Uighurs and other ethnic Turkic minorities in China and abroad. Researchers attribute campaigns to China-linked network APT15 cyber espionage group (aka Nickel, Ke3chang, Mirage, vixen panda, Royal APT and Mischievous Dragon).

APT15 has been active since at least 2010, it has conducted cyber espionage campaigns against targets around the world in multiple sectors including defense, high tech, energy, government, aerospace and manufacturing. Attackers have demonstrated an increasing level of sophistication over the years, they have used custom malware and various exploits in their attacks.

The BadBazaar campaign dates back to late 2018, over time researchers got 111 unique apps that masquerade as harmless apps such as radio apps, messaging apps, dictionaries, religious apps, and even TikTok .

“The overlapping infrastructure and TTPs indicate that these campaigns are connected to APT15, a China-backed hacking group also known as VIXEN PANDA and NICKEL. We named this malware family BadBazaar in response to a first variant which presented itself as a third-party app store titled “APK Bazaar”. Bazaar is a lesser-known spelling of Bazaar. reads the report published by Lookout.

“Lookout has since acquired 111 unique samples of BadBazaar monitoring software dating back to late 2018. Over 70% of these applications were found in Uyghur-language communication channels in the second half of 2022.”

Lookout researchers also discovered a benign app on Apple’s App Store that communicates with the same C2 infrastructure used by BadBazaar Android variants. The iOS app collects basic information from the iPhone device, it has the same name as “Uyghur Lughat” and the icon.

The discovery of an iOS app suggests that threat actors are likely planning to update their malware by developing an iOS version that includes monitoring capabilities.

Android spyware was able to collect a wide range of information, including:

  • Location (latitude and longitude)
  • List of installed packages
  • Call logs and geocoded location associated with the call
  • Contact information
  • Android apps installed
  • SMS information
  • Detailed device information including model, language, IMEI, IMSI, ICCID (SIM serial number), phone number, time zone and centralized online account registry of the user
  • Wi-Fi information (connected or not, and if connected, IP, SSID, BSSID, MAC, netmask, gateway, DNS1, DNS2)
  • Record phone calls
  • Take photos
  • Data and database files in the SharedPreferences directory of the trojanized application
  • Retrieve a list of files on the device that end in .ppt, .pptx, .docx, .xls, .xlsx, .doc, or .pdf
  • Folders of interest as specified dynamically from the C2 server, including camera images and screenshots, Telegram, Whatsapp, GBWhatsapp, TalkBox, Zello attachments, logs and chat history

Researchers have also spotted an ongoing campaign spreading MOONSHINE spyware, they have obtained over 50 malicious apps since July 2022 containing the threat. The malware is capable of stealing sensitive data, recording audio and downloading arbitrary files.

“The rate at which new samples are being rolled out indicates that these campaigns are underway. The majority of these samples are trojanized versions of popular social media platforms, like WhatsApp or Telegram, or trojanized versions of Muslim cultural apps, Uyghur language tools or prayer apps. continues the report. “Our MOONSHINE samples were acquired from multiple Uyghur language communication channels, some with hundreds of members.”

Experts found that all MOONSHINE samples connect to admin panels similar to those analyzed by Citizen Lab researchers in 2019.

Lookout’s report demonstrates that Chinese threat actors continue to target Uyghur and Muslim mobile device users through Uyghur-language communication platforms.

“The wide distribution of BadBazaar and MOONSHINE, and the speed at which new features have been introduced indicate that development of these families is ongoing and that there is continued demand for these tools.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(Security cases hacking, Uyghurs)

Comments are closed.