Xinjiang (XUAR) is an autonomous territory and home to many Muslim ethnic minority groups where China is known to be conducting massive surveillance operations, especially on the activities of Uighurs, a Muslim Turkic minority group of about 8 million people.
The Chinese government has blamed the Muslim Turkic minority group for Islamic extremism and deadly attacks on Chinese targets.
According to a joint investigation by New York Times, the Guardian, Süddeutsche Zeitung and more, the surveillance app has been designed to instantly extract emails, texts, calendar entries, call records, contacts and insecurely uploads them to a local server set-up at the check-point only.
This suggests that the spyware app has not been designed to continuously and remotely track people while in China. In fact, in the majority of cases, the report says the surveillance app is uninstalled before the phone is returned to its owner.
The spyware, called Feng Cai (蜂采) or BXAQ, also scans infected Android devices for over 73,000 pre-defined files related to Islamic extremist groups, including ISIS recruitment fliers, bomb-making instructions, and images of executions.
Besides this, it also looks for segments from the Quran, portions of an Arabic dictionary and information on the Dalai Lama, and for some bizarre reason, the list also includes a song from a Japanese grindcore band called Unholy Grace.
The app can directly be installed on Android phones, but for tourists, journalists, and other foreigners, using Apple devices, the border guards reportedly connect their phones to a hardware-based device that is believed to install similar spyware.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
According to researchers at German cybersecurity firm Cure53, who analyzed [PDF] a sample of the surveillance app, the names that appear in Feng Cai app's source code suggest that the app was developed by a unit of FiberHome, a Chinese telecom manufacturer that is partly owned by the government.
"The app is very simple in terms of its user interface, with just three available functions: Scan, Upload, and Uninstall," the researchers said.
However, it remains unclear how long the collected information on travelers is stored on the Chinese server, or how the government uses it.
"The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism," Maya Wang, a Chinese researcher at Human Rights Watch, told NY Times. "You can see in Xinjiang, privacy is a gateway right: Once you lose your right to privacy, you're going to be afraid of practicing your religion, speaking what's on your mind or even thinking your thoughts."
It's not the first time when Chinese authorities have been caught using spyware to keep tabs on people in the Xinjiang region, as this kind of intensive surveillance is very common in that region. However, it's the first time when tourists are believed to have been the primary target.
In 2017, Chinese authorities had forced Xinjiang residents as well into installing a similar spyware app, called Jingwang, on their mobile devices that was intended to prevent them from accessing terrorist information.