Spyware Used on Phones at Xinjiang Border

Spyware Used on Phones at Xinjiang Border

The ongoing mass detentions in Xinjiang are accompanied by an intense security and surveillance program across the region. In 2017, for example, some Urumqi residents were reportedly forced to install a surveillance app called Jingwang on their phones. Subsequent research found that the app transmitted sensitive data insecurely. In May, Human Rights Watch released details of another element of the system, after obtaining and analyzing a mobile app used by security personnel to interface with the Integrated Joint Operations Platform which helps coordinate their activities. This week, a joint investigation by The New York Times, Süddeutsche Zeitung, German broadcaster NDR, The Guardian, and Motherboard revealed another app, Fengcai, used to inspect phones at border crossings into the region. Device searches at international borders are not uncommon, but Fengcai targets a notably expansive range of content. From Raymond Zhong at The New York Times:

The app gathers personal data from phones, including text messages and contacts. It also checks whether devices are carrying pictures, videos, documents and audio files that match any of more than 73,000 items included on a list stored within the app’s code.

Those items include ISIS publications, recordings of jihadi anthems and images of executions. But they also include material without any connection to Islamic terrorism, an indication of China’s heavy-handed approach to stopping extremist violence. There are scanned pages from an Arabic dictionary, recorded recitations of Quran verses, a photo of the Dalai Lama and even a song by a Japanese band of the earsplitting heavy-metal style known as grindcore.

“The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism,” Maya Wang, a China researcher for Human Rights Watch, said. “You can see in Xinjiang, privacy is a gateway right: Once you lose your right to privacy, you’re going to be afraid of practicing your religion, speaking what’s on your mind or even thinking your thoughts.”

[… Travelers’ accounts suggest] that the authorities have been told to be thorough in scanning visitors’ phones, although it was not clear how they were using the information they acquired as a result. It also could not be determined whether anyone had been detained or monitored because of information generated by the app. If Fengcai remains on a person’s phone after it is installed, it does not continue scanning the device in the background, the app’s code indicates. [Source]

The impact of these inspections could extend well beyond device owners to any Xinjiang resident identifiable from their contacts or messaging history, and even beyond. According to Human Rights Watch’s 2018 report “‘Eradicating Ideological Viruses,'” even limited foreign communication, travel, or other association can be enough to draw official attention to individuals or their relatives.

Although the report found that iPhones are handled differently using unidentified hardware, Fengcai’s developer, Nanjing FiberHome StarrySky Communication Development Company, does also offer software targeting iOS as well as other mobile operating systems.

Motherboard’s Joseph Cox also reported on the investigation:

Together with the Guardian and the New York Times, the reporting team commissioned several technical analyses of the app. Penetration testing firm Cure53 on behalf of the Open Technology Fund, researchers at Citizen Lab from the University of Toronto, and researchers from the Ruhr University Bochum as well as the Guardian itself all provided insights about BXAQ. The app’s code also includes names such as “CellHunter” and “MobileHunter.”

[…] “This is yet another example of why the surveillance regime in Xinjiang is one of the most unlawful, pervasive, and draconian in the world,” Edin Omanovic, state surveillance programme lead at Privacy International said.

[…] “There is an increasing trend around the world to treat borders as law-free zones where authorities have the right to carry out whatever outrageous form of surveillance they want,” Omanovic said. “But they’re not: the whole point of basic rights is that you’re entitled to them wherever you are. Western liberal democracies intent on implementing increasingly similar surveillance regimes at the border should look to what China is doing here and consider if this is really the model of security they want to be pursuing.” [Source]

Rights generally respected elsewhere are already widely suspended at international borders, sometimes loosely defined. A recent article at The Intercept described one journalist’s experience of warrantless device search at the U.S. border, as well as ongoing efforts to challenge the practice in court.

Cox highlighted technical materials from the investigation on Twitter:

A report from The Guardian’s Hilary Osborne and Sam Cutler included one traveler’s account of his experience at the border:

The Guardian spoke to a traveller who had crossed the border to Xinjiang this year with an Android phone and was disturbed to see the app installed on his phone.

He said he had been asked to hand over his phone at the checkpoint, and it had been taken into a separate room. He and all the other travellers at that checkpoint had also been asked to hand their pin numbers to the officials, and had waited about an hour to have their phones returned.

At no point were they told what was being done to the phones.

He had been told by an international travel agent and by tourist information in Kyrgyzstan that something would happen with his phone at the border.

“We thought it was a GPS tracker,” he said. “[The travel company] was pretty sure we were going to have this thing put in.”

He checked his phone when it was handed back and found the app immediately. [Source]

The findings on Fengcai follow more tentative reports of phone inspections within China’s borders, including locations within Xinjiang as well as Beijing, Shanghai, and Dongguan. ChinaFile’s Muyi Xiao investigated:

At Medium, French security researcher “Elliott Alderson” offered his analysis of the app’s purported code, obtained online:

This app is asking a lot of dangerous permissions:

  • Read your call log, your contacts, your SMS, your calendar, your SD card
  • Disable the lock screen
  • Access your location
  • Install a new app without your consent

  • Having so much dangerous permissions in the same app is a first alarm.

[…] As expected, I launched the app and locally the port 10102 was open. We have another info, this is something local, this tool is not made to send remotely a command to the victim’s phones.

The name of the available commands are clear. With this app, the policeman is able to get contacts, sms, call log, locations, apps, audio files, image files, calendar events, …

[…] This is cristal clear, when the policeman unplug the victim’s phone from his computer, the app will uninstall itself. No trace left. This is sneaky.

[… T]he policeman is going to his desk, plug your phone to his computer. He is using the Meiya Pico Windows software to install MFSocket. When the install is complete, with one click he is extracting all your personal data from your phone. Few minutes later, the extraction is successful. The officier unplug your phone from his computer, the app will uninstall itself. [Source]

Researcher Victor Gevers, who uncovered an unsecured online database of Chinese surveillance data in February, also examined MFSocket:


Subscribe to CDT


Browsers Unbounded by Lantern

Now, you can combat internet censorship in a new way: by toggling the switch below while browsing China Digital Times, you can provide a secure "bridge" for people who want to freely access information. This open-source project is powered by Lantern, know more about this project.

Google Ads 1

Giving Assistant

Google Ads 2

Anti-censorship Tools

Life Without Walls

Click on the image to download Firefly for circumvention

Open popup

Welcome back!

CDT is a non-profit media site, and we need your support. Your contribution will help us provide more translations, breaking news, and other content you love.