The ongoing mass detentions in Xinjiang are accompanied by an intense security and surveillance program across the region. In 2017, for example, some Urumqi residents were reportedly forced to install a surveillance app called Jingwang on their phones. Subsequent research found that the app transmitted sensitive data insecurely. In May, Human Rights Watch released details of another element of the system, after obtaining and analyzing a mobile app used by security personnel to interface with the Integrated Joint Operations Platform which helps coordinate their activities. This week, a joint investigation by The New York Times, Süddeutsche Zeitung, German broadcaster NDR, The Guardian, and Motherboard revealed another app, Fengcai, used to inspect phones at border crossings into the region. Device searches at international borders are not uncommon, but Fengcai targets a notably expansive range of content. From Raymond Zhong at The New York Times:
The app gathers personal data from phones, including text messages and contacts. It also checks whether devices are carrying pictures, videos, documents and audio files that match any of more than 73,000 items included on a list stored within the app’s code.
Those items include ISIS publications, recordings of jihadi anthems and images of executions. But they also include material without any connection to Islamic terrorism, an indication of China’s heavy-handed approach to stopping extremist violence. There are scanned pages from an Arabic dictionary, recorded recitations of Quran verses, a photo of the Dalai Lama and even a song by a Japanese band of the earsplitting heavy-metal style known as grindcore.
“The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism,” Maya Wang, a China researcher for Human Rights Watch, said. “You can see in Xinjiang, privacy is a gateway right: Once you lose your right to privacy, you’re going to be afraid of practicing your religion, speaking what’s on your mind or even thinking your thoughts.”
[… Travelers’ accounts suggest] that the authorities have been told to be thorough in scanning visitors’ phones, although it was not clear how they were using the information they acquired as a result. It also could not be determined whether anyone had been detained or monitored because of information generated by the app. If Fengcai remains on a person’s phone after it is installed, it does not continue scanning the device in the background, the app’s code indicates. [Source]
The impact of these inspections could extend well beyond device owners to any Xinjiang resident identifiable from their contacts or messaging history, and even beyond. According to Human Rights Watch’s 2018 report “‘Eradicating Ideological Viruses,'” even limited foreign communication, travel, or other association can be enough to draw official attention to individuals or their relatives.
Although the report found that iPhones are handled differently using unidentified hardware, Fengcai’s developer, Nanjing FiberHome StarrySky Communication Development Company, does also offer software targeting iOS as well as other mobile operating systems.
Motherboard’s Joseph Cox also reported on the investigation:
Together with the Guardian and the New York Times, the reporting team commissioned several technical analyses of the app. Penetration testing firm Cure53 on behalf of the Open Technology Fund, researchers at Citizen Lab from the University of Toronto, and researchers from the Ruhr University Bochum as well as the Guardian itself all provided insights about BXAQ. The app’s code also includes names such as “CellHunter” and “MobileHunter.”
[…] “This is yet another example of why the surveillance regime in Xinjiang is one of the most unlawful, pervasive, and draconian in the world,” Edin Omanovic, state surveillance programme lead at Privacy International said.
[…] “There is an increasing trend around the world to treat borders as law-free zones where authorities have the right to carry out whatever outrageous form of surveillance they want,” Omanovic said. “But they’re not: the whole point of basic rights is that you’re entitled to them wherever you are. Western liberal democracies intent on implementing increasingly similar surveillance regimes at the border should look to what China is doing here and consider if this is really the model of security they want to be pursuing.” [Source]
Rights generally respected elsewhere are already widely suspended at international borders, sometimes loosely defined. A recent article at The Intercept described one journalist’s experience of warrantless device search at the U.S. border, as well as ongoing efforts to challenge the practice in court.
Cox highlighted technical materials from the investigation on Twitter:
We published a sample of the malware here. Chinese authorities are putting this onto tourists’ phones as they cross into Xinjiang. https://t.co/UWCduJtVTu
— Joseph Cox (@josephfcox) July 2, 2019
If you want more technical details on the app, here is Cure53’s report, supported by OTF: https://t.co/P19pE2JriE pic.twitter.com/2noNP083AW
— Joseph Cox (@josephfcox) July 2, 2019
Here is another technical report, via Ruhr-Universität Bochum https://t.co/3Zn10mwV0K pic.twitter.com/QWboMyns0n
— Joseph Cox (@josephfcox) July 2, 2019
A report from The Guardian’s Hilary Osborne and Sam Cutler included one traveler’s account of his experience at the border:
The Guardian spoke to a traveller who had crossed the border to Xinjiang this year with an Android phone and was disturbed to see the app installed on his phone.
He said he had been asked to hand over his phone at the checkpoint, and it had been taken into a separate room. He and all the other travellers at that checkpoint had also been asked to hand their pin numbers to the officials, and had waited about an hour to have their phones returned.
At no point were they told what was being done to the phones.
He had been told by an international travel agent and by tourist information in Kyrgyzstan that something would happen with his phone at the border.
“We thought it was a GPS tracker,” he said. “[The travel company] was pretty sure we were going to have this thing put in.”
He checked his phone when it was handed back and found the app immediately. [Source]
The findings on Fengcai follow more tentative reports of phone inspections within China’s borders, including locations within Xinjiang as well as Beijing, Shanghai, and Dongguan. ChinaFile’s Muyi Xiao investigated:
(THREAD) There have been reports on Chinese social media these days about police spot-checking people’s phones in Beijing and Shanghai (Beijing PSB denied it). As I looked into it, I came across an app called MFsocket 1/8 pic.twitter.com/XotR25lG2g
— Muyi Xiao (@muyixiao) June 21, 2019
I did more research about this app and found dozens of people complaining about finding it installed on their phones after visiting the police station (one went to the police station just to get ID card done, and another was just riding scooter and got stopped by police) 2/8 pic.twitter.com/EPjnyqqigJ
— Muyi Xiao (@muyixiao) June 21, 2019
Found several cases in #Xinjiang, for example this one: https://t.co/ZSDQlWdVnB
The person who posted it on HUAWEI’s forum is/was in #Xinjiang, as you can read his/her responses to people lower down the page. 3/8 pic.twitter.com/oKQS2zvXrV— Muyi Xiao (@muyixiao) June 21, 2019
Another person in the same thread who had the same experience was also in #Xinjiang. There are more cases in XJ I saw on other forums/websites. @RadioFreeAsia @hrw 4/8 pic.twitter.com/kC5MD2We90
— Muyi Xiao (@muyixiao) June 21, 2019
The earliest case I found dates to 2016 (not sure where). And I read about one case in Dongguan, Guangdong province. (And one mentioned Shanghai mentioned in the first screenshot above, if it were true.) @MrKennethTan had similar findings: https://t.co/s8hy7OUy73 5/8 pic.twitter.com/BhBklSWeE1
— Muyi Xiao (@muyixiao) June 21, 2019
An app analysis tool shows that this app––MFsocket.apk––gains ROOT access to an Android phone and can subsequently do many things: read contacts, msgs, enable wifi…you name it https://t.co/eemllCTxDf 6/8 pic.twitter.com/2l9koV1xFL
— Muyi Xiao (@muyixiao) June 21, 2019
Who built it? The infamous Meiya Pico, the one that provides support to #surveillance systems in XJ & many other places. They even wrote a debugging guide abt how to successfully install the app on 14 different brands of phones, including Samsung:https://t.co/m83Ao8YMdb 7/8
— Muyi Xiao (@muyixiao) June 21, 2019
To learn more about Meiya Pico, read this article by @teamlipei https://t.co/U0ZgdIkZTo
And this one by @joshchin from back in 2017 also mentions it: https://t.co/peObwJzsmS 8/8— Muyi Xiao (@muyixiao) June 21, 2019
At Medium, French security researcher “Elliott Alderson” offered his analysis of the app’s purported code, obtained online:
This app is asking a lot of dangerous permissions:
- Read your call log, your contacts, your SMS, your calendar, your SD card
- Disable the lock screen
- Access your location
- Install a new app without your consent
- …
Having so much dangerous permissions in the same app is a first alarm.[…] As expected, I launched the app and locally the port 10102 was open. We have another info, this is something local, this tool is not made to send remotely a command to the victim’s phones.
The name of the available commands are clear. With this app, the policeman is able to get contacts, sms, call log, locations, apps, audio files, image files, calendar events, …
[…] This is cristal clear, when the policeman unplug the victim’s phone from his computer, the app will uninstall itself. No trace left. This is sneaky.
[… T]he policeman is going to his desk, plug your phone to his computer. He is using the Meiya Pico Windows software to install MFSocket. When the install is complete, with one click he is extracting all your personal data from your phone. Few minutes later, the extraction is successful. The officier unplug your phone from his computer, the app will uninstall itself. [Source]
Researcher Victor Gevers, who uncovered an unsecured online database of Chinese surveillance data in February, also examined MFSocket:
This MFSocket.apk trojan/RAT seems to be connected to Meiyapico's Phone Forensics System which extracts data from phones and provides "a special way to unlock" devices. pic.twitter.com/kFIg9EamC7
— Victor Gevers (@0xDUDE) June 24, 2019
The MFSocket.ipa (part of the Meiyapico’s Phone Forensics System) can extract data from iPhones which gets installed in MobileMaster\Mobile Support\BaseTool\iPhone\iPA\Enterprise directory and requires to be manually “trusted” accepted in Profiles & Device Management. pic.twitter.com/ShLdiOy6kn
— Victor Gevers (@0xDUDE) June 25, 2019
