China’s Software Stalked Uighurs Earlier and More Widely, Researchers Learn

A new report revealed a broad campaign that targeted Muslims in China and
their diaspora in other countries, beginning as early as 2013.
[image: Malicious software was hidden in apps and websites to harvest data
from the phones of millions of members of China’s largely Muslim Uighur
population.]Malicious software was hidden in apps and websites to harvest
data from the phones of millions of members of China’s largely Muslim
Uighur population. Credit...Gilles Sabrie for The New York Times
[image: Paul Mozur] <>[image: Nicole
Perlroth] <>

By Paul Mozur <> and Nicole Perlroth
July 1, 2020

TAIPEI, Taiwan — Before the Chinese police hung high-powered surveillance
cameras and locked up
ethnic minorities by the hundreds of thousands
<> in China’s western
region of Xinjiang, China’s hackers went to work building malware,
researchers say.

The Chinese hacking campaign, which researchers at Lookout — the San
Francisco mobile security firm — said on Wednesday had begun in earnest as
far back as 2013 and continues to this day, was part of a broad but often
invisible effort to pull in data from the devices that know people best:
their smartphones.

Lookout found links between eight types of malicious software — some
previously known, others not — that show how groups connected to China’s
government hacked into Android phones used by Xinjiang’s largely Muslim
Uighur population on a scale far larger than had been realized.

The timeline suggests the hacking campaign was an early cornerstone in
China’s Uighur surveillance efforts
that would later extend to collecting blood samples
voice prints, facial scans
and other personal data
<> to
transform Xinjiang into a virtual police state
It also shows the lengths to which China’s minders were determined to
follow Uighurs as they fled China
for as many as 15 other countries.

The tools the hackers assembled hid in special keyboards used by Uighurs
and disguised themselves as commonly used apps in third-party websites.
Some could remotely turn on a phone’s microphone, record calls or export
photos, phone locations and conversations on chat apps. Others were
embedded in apps that hosted Uighur-language news, Uighur-targeted beauty
tips, religious texts like the Quran and details of the latest Muslim
cleric arrests.

“Wherever China’s Uighurs are going, however far they go, whether it was
Turkey, Indonesia or Syria, the malware followed them there,” said Apurva
Kumar, a threat intelligence engineer at Lookout who helped unravel the
“It was like watching a predator stalk its prey throughout the world.”

A decade ago, the People’s Liberation Army’s hackers were notable not so
much for their sophistication as for the volume of their attacks. But under
threat of American sanctions, President Xi Jinping of China struck an
agreement with President Barack Obama in 2015 to cease hacking American
targets for commercial gain. The agreement stuck for a time
with a significant drop in Chinese hacks
in the United States.

Last fall, private researchers determined that — over that same period —
China had turned its most advanced hacking tools on its own people
In overlapping discoveries, researchers at Google, the security firm
Volexity and the Citizen Lab at the University of Toronto’s Munk School of
Public Affairs separately uncovered what amounted to an advanced Chinese
hack against iPhones and Android phones belonging to Chinese Uighurs and
Tibetans throughout the world.
[image: A security checkpoint equipped with facial recognition technology
at the entrance of a park in Xinjiang.]
A security checkpoint equipped with facial recognition technology at the
entrance of a park in Xinjiang. Credit...Gilles Sabrié for The New York

Google’s researchers discovered that hackers had infected websites
frequented by Uighurs — inside China and in other countries — with tools
that could hack their iPhones and siphon off their data.

Lookout’s latest analysis suggests that China’s mobile hacking campaign was
broader and more aggressive than security experts, human rights activists
and spyware victims had realized. But experts on Chinese surveillance say
it should come as no surprise, given the lengths to which Beijing has gone
to monitor Xinjiang.

“We should think about smartphone surveillance being used as a way to track
people’s inner life, their everyday behavior, their trustworthiness,” said
Darren Byler, who studies surveillance of minority populations at the
University of Colorado, Boulder.

In 2015, as Beijing pushed to crack down on sporadic ethnic violence in
Xinjiang, the authorities grew “desperate” to track fast-growing Uighur
communications online, Mr. Byler said. Uighurs began to fear that their
online chats discussing Islam or politics were risky. Savvier Uighurs took
to owning a second “clean phone,” said Mr. Byler, who lived in Xinjiang in

On the streets of Xinjiang, the police began confiscating Uighurs’ phones.
Sometimes, they returned them months later with new spyware installed.
Other times, people were handed back entirely different phones. Officials
visiting Uighur villages regularly recorded the serial numbers used to
identify smartphones. They lined the streets with new hardware that tracked
people’s phones as they walked past.

The authorities dragged Uighurs off to detention camps for having two
phones or an antiquated phone, arbitrarily dumping a phone, or not having a
phone at all, according to testimonials
and government documents

Over that same period, Lookout said China’s mobile hacking efforts
accelerated. One type of Chinese malware, known as GoldenEagle after the
words hackers littered throughout their code — an apparent reference to the
eagles used for hunting in Xinjiang — was used as early as 2011. But its
use picked up in 2015 and 2016. Lookout uncovered more than 650 versions of
GoldenEagle malware and a large number of fake Uighur apps that function as
a sort of Trojan horse to spy on users’ mobile communications.

The malicious apps mimicked so-called virtual private networks, which are
used to set up secure web connections and view prohibited content inside
China. They also targeted apps frequently used by Uighurs for shopping,
video games, music streaming, adult media and travel booking, as well as
specialized Uighur keyboard apps. Some offered Uighurs beauty and
traditional-medicine tips. Others impersonated apps from Twitter, Facebook,
QQ — the Chinese instant messaging service — and the search giant Baidu.

Once downloaded, the apps gave China’s hackers a real-time window into
their targets’ phone activity. They also gave China’s minders the ability
to kill their spyware on command, including when it appeared to suck up too
much battery life. In some cases, Lookout discovered that all China’s
hackers needed to do to get data off a target’s phone was send the user an
invisible text message. The malware captured a victim’s data and sent it
back to the attackers’ phone via a text reply, then deleted any trace of
the exchange.

In June 2019, Lookout uncovered Chinese malware buried in an app called
Syrian News. The content was Uighur focused, suggesting China was trying to
bait Uighurs inside Syria into downloading their malware. That Beijing’s
hackers would track Uighurs to Syria gave Lookout’s researchers a window
into Chinese anxiety over Uighur involvement
in the Syrian civil war. Lookout’s researchers found similarly malicious
apps tailored to Uighurs in Kuwait, Turkey, Indonesia, Malaysia,
Afghanistan and Pakistan.

Researchers at other security research groups, like Citizen Lab, had
previously uncovered various pieces of China’s mobile hacking campaign and
linked them back to Chinese state hackers. However, Lookout’s new report
appears to be the first time researchers were able to piece these older
campaigns with new mobile malware and tie them to the same groups.

“Just how far removed the state is from these operations is always the open
question,” said Christoph Hebeisen, Lookout’s director of security
intelligence. “It could be that these are patriotic hackers, like the kind
we have seen in Russia. But the targeting of Uighurs, Tibetans, the
diaspora and even Daesh, in one case, suggests otherwise,” he added, using
another term for the Islamic State.

One clue to the attackers’ identities came when Lookout’s researchers found
what appeared to be test versions of China’s malware on several smartphones
that were clustered in and around the headquarters of the Chinese defense
contractor Xi’an Tianhe Defense Technology.

A large supplier of defense technology, Tianhe sent employees to a major
defense conference in Xinjiang in 2015 to market products that could
monitor crowds. As a surveillance gold rush took over the region, Tianhe
doubled down, establishing a subsidiary in Xinjiang in 2018. The company
did not respond to emails requesting comment.

“That could be an interesting coincidence,” Mr. Hebeisen said, “or it could
be the smoking gun.”

Paul Mozur reported from Taipei, and Nicole Perlroth from San Francisco.