Intelligence agencies from the UK, US, Canada, Germany, Australia, and New Zealand have uncovered a sophisticated global spyware campaign allegedly backed by China, targeting activists, minority groups, and political dissidents.
In a joint advisory issued on Tuesday, the UK’s National Cyber Security Centre (NCSC), supported by GCHQ, exposed two spyware tools—BadBazaar and Moonshine—embedded in Android apps disguised as everyday utilities like Telegram, WhatsApp, Adobe Acrobat, and even religious applications for Muslims and Buddhists. Unlike typical malware, these apps were engineered for covert surveillance, allowing attackers to eavesdrop on conversations, track locations, access photos, and read private messages without users’ consent.
The targeted campaign was neither random nor opportunistic. According to the report, it focused on specific communities deemed threatening to Chinese state interests, including Uyghur Muslims, Tibetans, Taiwanese independence activists, Hong Kong pro-democracy supporters, and Falun Gong practitioners.
Notably, many of the affected individuals reside outside China, underscoring the international scope of the surveillance operation. The NCSC noted that the apps were carefully crafted to appeal directly to these groups, making it easier for attackers to infiltrate their digital lives under the guise of trusted tools.
Cybersecurity watchdogs like Trend Micro, Lookout, Volexity, and Citizen Lab have previously analyzed the two spyware families. BadBazaar often disguised itself as encrypted messaging or file-sharing apps, while Moonshine reportedly masqueraded as a toolkit tailored to specific groups such as Tibetans.
Over 100 Android apps were identified as carriers of the spyware, including prayer apps, language learning tools, document readers, and chat platforms. One iOS app, TibetOne, even reached Apple’s App Store in 2021, raising concerns about the effectiveness of platform-level screening.
As of now, neither Google nor Apple has issued statements regarding the removal of the compromised apps or the extent of user exposure. The advisory serves as a stark reminder of how digital tools meant to foster communication and connectivity can be weaponized for surveillance and control. The incident highlights the growing threat of state-sponsored cyber espionage and the need for greater scrutiny and protections in digital spaces, especially for vulnerable communities engaged in activism and advocacy.