Advertisement

Antivirus Companies Now Flag Malware China Installs on Tourists’ Phones

After a collaborative investigation found Chinese authorities were planting malware on the phones of travellers, Symantec, Malwarebytes and other cybersecurity firms have updated their products.

Jul 3 2019, 1:07pmSnap

Multiple antivirus companies are now explicitly flagging in their products an app that Chinese authorities were planting onto the phones of tourists at the country's border.

Tuesday, a collaboration between Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR revealed Chinese authorities are installing the malware—called BXAQ or Fengcai—onto travelers' Android devices at a border crossing into Xinjiang, a Western part of China. Xinjiang's local Uighur Muslim population is facing some of the most intense surveillance on the planet, with facial recongition systems, smartphone tracking, and detention in so-called re-education camps. Now, elements of that surveillance have expanded onto foreigners as well.

Advertisement

In concert with the articles' publication, Motherboard uploaded a copy of the malware onto our GitHub page. Here, researchers could freely access the malware to analyze it.

In response, multiple cybersecurity firms are now detecting BXAQ as malware in their own security products, according to results from VirusTotal, a Google-owned malware and detection search engine. Those include Avast, McAfee, and Check Point. Depending on the antivirus product, this means that the device owner may receive a pop-up if the malware is detected on the phone, or the software may block it.

Do you know any other cases of government malware? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Malwarebytes also told Motherboard the company created a rule to detect the malware on Tuesday, flagging it as "Android/Trojan.Spy.BXAQ.a."

A spokesperson for Symantec told Motherboard its product would have already flagged the app as a PUA (potentially unwanted application). This characterization is likely based on how the software behaves. But after "further analysis, it is now being detected as malware by Symantec Endpoint Protection Mobile," the spokesperson wrote in an email.

Shortly after Motherboard released the malware's code as part of the reporting collaboration, only one company explicitly flagged the app, according to VirusTotal results. On Wednesday, 10 companies were doing so, according to VirusTotal.

Chinese border authorities have planted the malware onto travelers' phones as they passed through Irkeshtam port at the border between Kyrgyzstan and China, a tourist who crossed the border said. A member of the reporting team from Süddeutsche Zeitung also entered China through this point and verified that malware is installed on devices.

After being "side-loaded" onto the phone rather than downloaded from the Google Play Store, the malware uploads the device's text messages, calendar entries, phone logs and contacts to a server, multiple technical analyses commissioned by the reporting team found. The malware also scans the phone for over 73,000 different files. The investigation found these files include clearly extremist material such as Islamic State propaganda, but also passages from the Quran, PDFs related to the Dalai Lama, and music from a Japanese metal group called Unholy Grave. Unholy Grave has a song called "Taiwan: Another China."

VirusTotal is not a perfect tool for determining whether a brand of security software will flag, detect, or block a particular piece of malware. Maybe some systems would capture an app even if they haven't developed a specific rule to do so. But VirusTotal can still provide indications of coverage across the industry.

How effective antivirus software can really be against this sort of threat is unclear. If a border official is already in physical possession of the unlocked device to install the app, they may be able to disable or ignore any warnings from a cybersecurity product.

_Subscribe to our new cybersecurity podcast,_ CYBER.

Tagged:

SURVEILLANCE, china, Borders, privacy, malware, android, oppression, xinjiang, Uighur

More
like this
'Scam' Spyware Vendor Gets Caught, Once Again
The New United Nations Coronavirus Social Distancing App Doesn’t Even Work
Internal Docs Show Why the U.S. Military Publishes North Korean and Russian Malware
Ajit Pai Says FCC's Investigation into Sale of Phone Location Data Nearly Complete
South Dakota's Official Coronavirus App Shows Limits of Contact Tracing Tech
Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account
Here Is the Technical Report Suggesting Saudi Arabia’s Prince Hacked Jeff Bezos’ Phone
Senator Warner Says FTC Not Doing Enough on Sale of Browsing Data