A hand reaches out of a mobile phone
Image: Nico Teitel

China Is Forcing Tourists to Install Text-Stealing Malware at its Border

The malware downloads a tourist’s text messages, calendar entries, and phone logs, as well as scans the device for over 70,000 different files.

Foreigners crossing certain Chinese borders into the Xinjiang region, where authorities are conducting a massive campaign of surveillance and oppression against the local Muslim population, are being forced to install a piece of malware on their phones that gives all of their text messages as well as other pieces of data to the authorities, a collaboration by Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR has found.


The Android malware, which is installed by a border guard when they physically seize the phone, also scans the tourist or traveller's device for a specific set of files, according to multiple expert analyses of the software. The files authorities are looking for include Islamic extremist content, but also innocuous Islamic material, academic books on Islam by leading researchers, and even music from a Japanese metal band.

In no way is the downloading of tourists’ text messages and other mobile phone data comparable to the treatment of the Uighur population in Xinjiang, who live under the constant gaze of facial recognition systems, CCTV, and physical searches. Last week, VICE News published an undercover documentary detailing some of the human rights abuses and surveillance against the Uighur population. But the malware news shows that the Chinese government’s aggressive style of policing and surveillance in the Xinjiang region has extended to foreigners, too.

"[This app] provides yet another source of evidence showing how pervasive mass surveillance is being carried out in Xinjiang. We already know that Xinjiang residents—particularly Turkic Muslims—are subjected to round-the-clock and multidimensional surveillance in the region," Maya Wang, China senior researcher at Human Rights Watch, said. "What you’ve found goes beyond that: it suggests that even foreigners are subjected to such mass, and unlawful surveillance."


One tourist who crossed the border and had the malware installed on their device provided a copy to Süddeutsche Zeitung and Motherboard. A member of the reporting team from Süddeutsche Zeitung then also crossed the border and had the same malware installed on their own phone.

Motherboard has uploaded a copy of the Android app to our GitHub account. You can download the Android file here.

At the border crossing from Kyrgyzstan into China, surrounded by desolate, mountainous peaks, border authorities take travelers' phones to be searched and install the malware, called BXAQ or Fengcai. Those crossing the border entered a clean, sterile environment to be searched, and in all, the process of getting through several stages of scrutiny and security takes around half a day, one of the travelers said.

Together with the Guardian and the New York Times, the reporting team commissioned several technical analyses of the app. Penetration testing firm Cure53 on behalf of the Open Technology Fund, researchers at Citizen Lab from the University of Toronto, and researchers from the Ruhr University Bochum as well as the Guardian itself all provided insights about BXAQ. The app's code also includes names such as "CellHunter" and "MobileHunter."

Once installed on an Android phone, by "side-loading" its installation and requesting certain permissions rather than downloading it from the Google Play Store, BXAQ collects all of the phone's calendar entries, phone contacts, call logs, and text messages and uploads them to a server, according to expert analysis. The malware also scans the phone to see which apps are installed, and extracts the subject’s usernames for some installed apps. (Update: after the publication of this piece, multiple antivirus firms updated their products to flag the app as malware).


Do you know any other cases of government malware? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The app does not try to hide itself. Instead, it displays an icon on the device's app select screen, suggesting that it is designed to be removed from the phone after use by the authorities.

"This is yet another example of why the surveillance regime in Xinjiang is one of the most unlawful, pervasive, and draconian in the world," Edin Omanovic, state surveillance programme lead at Privacy International said.

"Modern extraction systems take advantage of this to build a detailed but flawed picture into people’s lives. Modern apps, platforms, and devices generate huge amounts of data which people likely aren’t even aware of or believe they’ve deleted, but which can still be found on the device. This is highly alarming in a country where downloading the wrong app or news article could land you in a detention camp," he added.


A screenshot of the app on the Android home screen.

The Süddeutsche Zeitung reporter said they saw machines that appeared to be for searching iPhones at the border.

Patrick Poon, China researcher at Amnesty International, said "it's pretty alarming to see how even foreigners and tourists would be subject to this kind of surveillance."

Included in the app's code are hashes for over 73,000 different files the malware scans for. Ordinarily, it is difficult to determine what specific files these hashes relate to, but the reporting team and researchers managed to uncover the inputs of around 1,300 of them. This was done by searching for connected files on the file search engine Virus Total. Citizen Lab identified the hashes in the VirusTotal database, and researchers from the Bochum team later downloaded some of the files from VirusTotal. The reporting team also found other copies online, and verified what sort of material the app was scanning for.


Many of the files that are scanned for contain clearly extremist content, such as the so-called Islamic State's publication Rumiyah. But the app also scans for parts of the Quran, PDFs related to the Dalai Lama, and a music file from Japanese metal band Unholy Grave (the band has a song called "Taiwan: Another China.")


A screenshot of the app scanning for files.

"The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism. Chinese law defines terrorism and extremism in a very broad and vague manner. For example, terrorism charges can stem from mere possession of 'items that advocate terrorism,' even though there is no clear definition of what these materials may be," Wang from Human Rights Watch said.

One of the scanned files is The Syrian Jihad, a book written by Charles Lister, a leading terrorism scholar and senior fellow and director of the Countering Terrorism and Extremism program at the Middle East Institute.

"This is news to me!" Lister wrote in an email. "I’ve never had any criticism for the book—in fact, in all honesty, the opposite."

"Instead, I suspect China’s authorities would find anything with the word 'jihad' in the title to be potentially suspicious," he added. "The book covers, albeit minimally, the role of the Turkistan Islamic Party in Syria, which may also be a point of sensitivity for Beijing. I’ve met with and engaged with Chinese officials to brief them on these issues, so I’m not aware of any problem Beijing would have with me."


"This is yet another example of why the surveillance regime in Xinjiang is one of the most unlawful, pervasive, and draconian in the world."

Motherboard previously covered JingWang, a piece of malware installed on devices in the Xinjiang region of China. Authorities typically installed JingWang on phones belonging to the Muslim Uighur population, and the app also scanned a phone for a similar particular set of files. According to expert analysis, the list of hunted files in BXAQ overlaps somewhat, but not entirely, with those that JingWang searches for, but BXAQ goes further.

Chinese authorities did not respond to a request for comment. Neither did Ninjing FiberHome StarrySky Communication Development Company Ltd, the partly state-owned company that developed the app.

"There is an increasing trend around the world to treat borders as law-free zones where authorities have the right to carry out whatever outrageous form of surveillance they want," Omanovic said. "But they’re not: the whole point of basic rights is that you’re entitled to them wherever you are. Western liberal democracies intent on implementing increasingly similar surveillance regimes at the border should look to what China is doing here and consider if this is really the model of security they want to be pursuing."

Subscribe to our new cybersecurity podcast, CYBER.