A recent joint advisory from the United Kingdom’s National Cyber Security Centre (NCSC) and international partners from five countries has shed light on two spyware variants — BADBAZAAR and MOONSHINE — actively targeting individuals from Uyghur, Tibetan, and Taiwanese communities, as well as civil society organizations linked to these regions. This collaborative effort, which includes cybersecurity agencies from Australia, Canada, Germany, New Zealand, and the United States, aims to raise awareness about the ongoing digital surveillance campaign orchestrated by the Chinese state.
According to the advisory, these cyber intrusions are not random but carefully orchestrated to infiltrate smartphones, gather sensitive personal data, and monitor individuals in real time, often without their knowledge. The spyware variants, BADBAZAAR and MOONSHINE, are designed for covert surveillance and have been discovered embedded in mobile apps. These malicious programs can access device microphones, cameras, messages, photos, and track location data, allowing remote hackers to monitor targets discreetly.
The report highlights that some infected apps mimic popular platforms like WhatsApp or Skype, while others are standalone applications designed to appear trustworthy, especially to users from the affected regions. For instance, the Tibet One app, available briefly on the Apple App Store in December 2021, was specifically created to deploy BADBAZAAR spyware. Similarly, the Audio Quran app, targeting Uyghur Muslims, delivered the MOONSHINE spyware by using the Uyghur language in its file name and description.
The groups most at risk from these spyware tools include supporters of Taiwan’s independence, Tibetan rights organizations, Uyghur Muslims, advocates for democratic reform in China, and followers of the Falun Gong faith. The Chinese state has historically viewed these groups and movements as politically sensitive, exerting efforts to control or silence dissent through surveillance, intimidation, and disinformation.
To protect individuals at risk, the NCSC and its international partners advise taking precautions when downloading or using mobile apps. Recommendations include using official app stores, checking app permissions regularly, reviewing app updates, avoiding suspicious links, and reporting unusual messages or files. Additionally, civil society groups, journalists, and activists are encouraged to stay informed about emerging threats and utilize security tools such as VPNs and encrypted messaging platforms.
As the international coalition behind this report aims to limit the reach of these cyber intrusions and safeguard the rights of vulnerable communities, the collaboration hopes to raise awareness and encourage vigilance among app store operators, developers, and users. By shedding light on evolving strategies in deploying spyware, the coalition aims to curb the impact of these surveillance campaigns and protect the freedoms of individuals worldwide.