Chinese Antivirus Companies Don’t Flag Chinese Border Malware

After a joint investigation found China installing malware on tourists’ phones, several antivirus companies started flagging the app. Several Chinese companies did not, however.
Chinese flag
Image: GREG BAKER/AFP/Getty Images

Several high profile Chinese cybersecurity companies allegedly don't flag a piece of malware in their antivirus products that can download a victim's text messages, calendar entries, call logs and contacts, and scan their phone for a set of specific files. Notably, the malware is used by Chinese authorities at the country's border.

The malware—called BXAQ or Fengcai—was the focus of a collaboration between Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR. That investigation found Chinese authorities installed the malware onto the phones of tourists who crossed a certain point of the country's border into the Xinjiang region. China continues to subject the local Uighur Muslim population in Xinjiang to extreme forms of surveillance, as well as forcing them into so-called re-education camps.


As part of that collaboration, Motherboard published the BXAQ app onto GitHub. In response, several antivirus firms, including Avast, McAfee, Check Point, Symantec, and Malwarebytes started to explicitly flag the app as malware.

But Chinese companies and products such as Baidu, Qihoo, Jiangmin, Rising, and Tencent still aren't flagging the malware, according to results from VirusTotal, a Google-owned malware search engine.

Do you know any other cases of government malware? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on, or email

Anyone is free to upload a file to VirusTotal to scan. VirusTotal will then process the file through various antivirus products, and then display whether they detect the file as malicious, and under what name it flags the file. The system isn't perfect, but can generally provide a good indication of a piece of malware's coverage across the industry.

Where a cybersecurity company is located can impact its products or research the company produces. In 2014, the head of Dutch security company Fox IT, told Mashable that his company and others did not publish details of a GCHQ hack in order not to “interfere with NSA/GCHQ operations.” Kevin Mandia, CEO of FireEye, previously told Cyberscoop that it will tip-off intelligence officials from the Five Eyes alliance, made up of the U.S., U.K., Australia, New Zealand, and Canada before publishing a public report on their malware. The company's products do still remove Five Eyes malware though, he said.

None of the companies contacted by Motherboard provided a statement.

Lorenzo Franceschi-Bicchierai contributed to this article.

Subscribe to our new cybersecurity podcast, CYBER.