Foreigners looking to travel through China's Xinjiang region are being subject to invasive searches well after they have crossed the border. According to a new collaborative report from the New York Times, The Guardian, Motherboard and others, border agents working for the Chinese government have been installing a malicious app on the phones of tourists in order to snoop on their activity and steal potentially sensitive information. It's just the latest part of a massive digital dragnet that has turned parts of the country into a high-tech police state.
The malware is installed after border agents confiscate the phones of tourists and travelers who are heading into the country's western-most region, an area known best for its vast deserts and massive mountains. Once in possession of a person's phone, the border agents install a malware called BXAQ or Fengcai, which affects Android devices, through a process called side-loading. This allows the agents to install the app and grant it permissions needed to access information on the device without going through the Google Play Store. What is somewhat strange about the app is that it isn't hidden on a traveler's phone — an icon is displayed on the screen, the same as any other app.
Once installed on a person's phone the malware goes to work grabbing just about every bit of personal information that it can. According to experts at cybersecurity firm Cure53 who analyzed the app, BXAQ is capable of collecting a person's calendar entries, phone contacts, call logs, and text messages — anything that the authorities may believe would provide them insight into a visitor's intentions while in China. It also scans all of the apps installed on a person's phone and in some cases can pull a person's username for the app, potentially allowing the agents to find out a traveler's activity on other platforms. All of that information is snatched up and sent to a remote server, presumably so that authorities can further snoop into a traveler's information.
In addition to stealing significant amounts of personal information from a person's device, the malware also performs a scan for more than 73,000 specific files. According to experts, many of the flagged files appear to be related to what China considers to be extremist content. In some cases, that's the correct label; the malware flags a person's phone if it has copies of the Islamic State's online publication Rumiyah downloaded onto the device. In other cases, it's an excessively broad generalization; the Quran, pages of the Arabic dictionary, content supporting the Dalai Lama and even songs from a Japanese metal band called Unholy Grave are marked by the malware.
The focus on Islamic content is sadly not surprising. China's Xinjiang region — which borders India, Pakistan, Afghanistan, Kyrgyzstan and Tajikistan — has one of the largest Muslim populations in the country, and its residents have been unduly oppressed by the Chinese government. Hundreds of thousands of Muslims in the region have been detained and forced into "re-education camps" where they are made to renounce their religion. Xinjiang authorities have also long subjected its residents to invasive police checkpoints and always-watching security cameras that police can monitor at any time. A report from the New York Times earlier this year found that authorities have also built an extensive facial recognition database that can be used to track individuals and have used it specifically to target Muslim minorities within the region.
China's use of malware extends the country's invasive and inhumane tactics to target and track Muslims and other travelers passing through the region. Luckily, now that the malware has been made public, cybersecurity firms have been able to take action. Antivirus software from Avast, McAfee, Check Point, Symantec, Malwarebytes and others can now block the malware from being installed. Of course, because border agents have access to a person's device, they may be able to bypass these protections. But having any ability to combat the malware or prevent its persistence on a device long after leaving the Xinjiang border is at least a start.