A coalition of international cybersecurity agencies has uncovered a sophisticated spyware campaign that weaponized seemingly legitimate Android apps to spy on ethnic minorities and civil society groups critical of China’s state policies.
The United Kingdom’s National Cyber Security Centre (NCSC), part of intelligence agency GCHQ, in coordination with cybersecurity authorities from the U.S., Australia, Canada, Germany, and New Zealand, issued joint advisories exposing two families of spyware: BadBazaar and Moonshine.
These malicious tools, disguised as popular and useful apps—including prayer apps, secure messaging platforms like WhatsApp and Signal, Adobe Acrobat, and various utilities—acted as digital trojans.
Once installed, they silently accessed victims’ cameras, microphones, chats, photos, and location data, allowing full surveillance control.
Cybersecurity watchdogs, including Lookout, Trend Micro, Volexity, and Citizen Lab, had previously flagged these spy tools. The global alert now confirms that the spyware campaigns specifically targeted Uyghurs, Tibetans, Taiwanese, and advocates of democracy and human rights, both within and outside China.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
The advisory highlighted that some apps were even tailored to appeal to the targeted groups, mimicking prayer apps or imitating secure messaging platforms.
One iOS app, TibetOne, which was available on Apple’s App Store in 2021, was also flagged as part of the Moonshine spyware operation.
The revelations spotlight ongoing cyber-espionage campaigns linked to state-backed actors seeking to suppress dissent, monitor minority communities, and disrupt pro-democracy movements. While Google and Apple have yet to respond to the findings, the advisory has reignited concerns about mobile app store security and digital surveillance.