A coalition of leading Western governments has released a list of seemingly legitimate Android apps that, in reality, function as spyware targeting civil society organizations considered hostile to China’s state interests.
The warning comes from a joint advisory issued by the U.K.’s National Cyber Security Centre (NCSC)—part of the intelligence agency GCHQ—alongside government agencies from Australia, Canada, Germany, New Zealand, and the United States. The advisory was published on Tuesday and details the threats posed by two sophisticated spyware families known as BadBazaar and Moonshine.
According to the NCSC’s statement, both BadBazaar and Moonshine spyware were covertly embedded in Android applications that appeared to be ordinary and trustworthy. Operating as classic “Trojan” malware, these apps could secretly enable a wide range of surveillance activities on victims’ devices. Capabilities included accessing sensitive phone features such as cameras, microphones, private chats, photos, and even real-time location data.
BadBazaar and Moonshine have previously been the subject of analysis by cybersecurity firms including Lookout, Trend Micro, and Volexity, as well as the nonprofit digital rights organization Citizen Lab. The recent government advisory notes that the primary targets of these spyware-laden apps included Uyghur Muslims, Tibetans, Taiwanese communities, and other civil society groups involved in causes deemed sensitive or threatening by the Chinese government.
The Uyghurs, a Muslim-minority population mainly residing in China’s Xinjiang region, have long faced state surveillance, detention, and systemic discrimination from Chinese authorities. As a result, they have become frequent targets in hacking and cyber-espionage campaigns, according to the advisory.
The NCSC emphasized that the malicious apps were carefully tailored to attract victims. Some were specifically designed to appeal to targeted individuals, while others mimicked widely used existing apps, thereby increasing the likelihood of being installed. In its press release, the NCSC stated, “The apps specifically target individuals internationally who are connected to topics that are considered by the Chinese state to pose a threat to its stability, with some designed to appeal directly to victims or imitate popular apps.” The agency also outlined that individuals most at risk included anyone connected to Taiwanese independence movements, Tibetan rights advocacy, Uyghur Muslims and other ethnic minorities from Xinjiang, democracy activists (including those in Hong Kong), and members of the Falun Gong spiritual movement.
One of the documents published by the NCSC included a comprehensive list of over 100 malicious Android apps. These apps impersonated religious prayer tools for Muslims and Buddhists, popular messaging platforms such as Signal, Telegram, and WhatsApp, productivity apps including Adobe Acrobat PDF reader, and various other utility applications. This broad range of disguises was intended to maximize appeal and obscure the true intent of the spyware.
The advisory also highlighted the discovery of a single iOS application called TibetOne, which was available on Apple’s App Store in 2021 and was likewise identified as spyware aimed at similar targets.
