Antivirus Companies Now Flag Malware China Installs on Tourists’ Phones

Multiple antivirus companies are now explicitly flagging in their products an app that Chinese authorities were planting onto the phones of tourists at the country's border.

Tuesday, a collaboration between Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR revealed Chinese authorities are installing the malware—called BXAQ or Fengcai—onto travelers' Android devices at a border crossing into Xinjiang, a Western part of China. Xinjiang's local Uighur Muslim population is facing some of the most intense surveillance on the planet, with facial recongition systems, smartphone tracking, and detention in so-called re-education camps. Now, elements of that surveillance have expanded onto foreigners as well.

In concert with the articles' publication, Motherboard uploaded a copy of the malware onto our GitHub page. Here, researchers could freely access the malware to analyze it.

In response, multiple cybersecurity firms are now detecting BXAQ as malware in their own security products, according to results from VirusTotal, a Google-owned malware and detection search engine. Those include Avast, McAfee, and Check Point. Depending on the antivirus product, this means that the device owner may receive a pop-up if the malware is detected on the phone, or the software may block it.

Malwarebytes also told Motherboard the company created a rule to detect the malware on Tuesday, flagging it as "Android/Trojan.Spy.BXAQ.a."

A spokesperson for Symantec told Motherboard its product would have already flagged the app as a PUA (potentially unwanted application). This characterization is likely based on how the software behaves. But after "further analysis, it is now being detected as malware by Symantec Endpoint Protection Mobile," the spokesperson wrote in an email.

Shortly after Motherboard released the malware's code as part of the reporting collaboration, only one company explicitly flagged the app, according to VirusTotal results. On Wednesday, 10 companies were doing so, according to VirusTotal.

Chinese border authorities have planted the malware onto travelers' phones as they passed through Irkeshtam port at the border between Kyrgyzstan and China, a tourist who crossed the border said. A member of the reporting team from Süddeutsche Zeitung also entered China through this point and verified that malware is installed on devices.

After being "side-loaded" onto the phone rather than downloaded from the Google Play Store, the malware uploads the device's text messages, calendar entries, phone logs and contacts to a server, multiple technical analyses commissioned by the reporting team found. The malware also scans the phone for over 73,000 different files. The investigation found these files include clearly extremist material such as Islamic State propaganda, but also passages from the Quran, PDFs related to the Dalai Lama, and music from a Japanese metal group called Unholy Grave. Unholy Grave has a song called "Taiwan: Another China."

VirusTotal is not a perfect tool for determining whether a brand of security software will flag, detect, or block a particular piece of malware. Maybe some systems would capture an app even if they haven't developed a specific rule to do so. But VirusTotal can still provide indications of coverage across the industry.

How effective antivirus software can really be against this sort of threat is unclear. If a border official is already in physical possession of the unlocked device to install the app, they may be able to disable or ignore any warnings from a cybersecurity product.

Subscribe to our new cybersecurity podcast, CYBER.