Chinese border police installing malware on tourists' phones to surveil them: Report

China has been in the news for its surveillance campaigns in certain regions within the country. The most well known and well-reported instance is about the mass surveillance that’s happening in the Xinjiang region where Uighur Muslim minorities are constantly monitored, be it via the hundreds of CCTV cameras, physical searches and more. Now it turns out, even tourists who are entering Xinjiang region are being subjected to some form of surveillance. In a collaborative scoop reported by Vice’s Motherboard, The New York Times, The Guardian, Sueddeutsche Zeitung and German public broadcaster NDR, the Chinese border police are forcing tourists travelling to the Xinjiang region to install a piece of malware on their phones. This malware copies all the data including contact details, messages, images and other data from the tourist’s phone and uploads it on the border police servers. This data is then compared against around 73,000 pieces of objectionable content enumerated by the Chinese authorities. [caption id=“attachment_4347245” align=“alignnone” width=“1280”] Chinese policewoman with sunglasses with in-built Facial Recognition. Image: QQ[/caption] According to Vice, the files being searched for include Islamic extremist content as well as harmless Islamic material, academic books on Islam, photos of Tibetan leader Dalai Lama, literature on Tibet and even a song by a Japanese metal band Unholy Grave.  One tourist whose phone was confiscated by the border police saw the unauthorised app — called Fengcai — installed on his device. Instead of deleting the app, the tourist provided these details to Suedeutesche Zeitung (SZ) and Motherboard. A reporter from SZ also travelled to Xinjiang and found the same malware installed on their phone as well. According to this reporter, even ethnic Han Chinese are also subjected to phone-checking. In the case of iPhones, they were unlocked by the visitor and then connected via a USB cable to a hand-held device by the authorities, according to the reporter who made the trip. This app was analysed by a Berlin-based penetration testing firm, Cure53, on the behalf of Open Technology Fund, researchers at Citizen Lab from the University of Toronto and researchers from the Ruhr University in Bochum, Germany. The app also goes by the name BXAQ and its code presented names like ‘CellHunter’ and ‘MobileHunter’. According to experts, once the app is installed on a device, it collects the phone’s calendar entries, phone contacts, call records and text messages, and uploads them to a remote server. In addition to this, the app also notes the apps installed on the device and extracts usernames for some of the apps.

There has been no clarification from the Chinese authorities on the matter. A China researcher for Human Rights Watch, Maya Wang, told The New York Times that the Chinese government often conflates peaceful religious activities with terrorism. “You can see in Xinjiang, privacy is a gateway right: Once you lose your right to privacy, you’re going to be afraid of practising your religion, speaking what’s on your mind or even thinking your thoughts,” said Wang. NYT also reached out to two authors whose books have been flagged by the Chinese authorities as well. Both the authors were confused as to why their books were under the scanner. Charles Lister, the author of The Syrian Jihad guessed that the word jihad in the title may have been a reason. According to the publications, the Fengcai app has been made by a unit of FiberHome, which produces optical cable and telecom equipment and is partly owned by the Chinese state. This revelation paints a scary picture of China’s surveillance ambitions.