One tourist who crossed the border and had the malware installed on their device provided a copy to Süddeutsche Zeitung and Motherboard. A member of the reporting team from Süddeutsche Zeitung then also crossed the border and had the same malware installed on their own phone. Motherboard has uploaded a copy of the Android app to our GitHub account. You can download the Android file here.At the border crossing from Kyrgyzstan into China, surrounded by desolate, mountainous peaks, border authorities take travelers' phones to be searched and install the malware, called BXAQ or Feng Cai. Those crossing the border entered a clean, sterile environment to be searched, and in all, the process of getting through several stages of scrutiny and security takes around half a day, one of the travelers said. Together with the Guardian and the New York Times, the reporting team commissioned several technical analyses of the app. Penetration testing firm Cure53 on behalf of the Open Technology Fund, researchers at Citizen Lab from the University of Toronto, and researchers from the Ruhr University Bochum as well as the Guardian itself all provided insights about BXAQ. The app's code also includes names such as "CellHunter" and "MobileHunter." Once installed on an Android phone, by "side-loading" its installation and requesting certain permissions rather than downloading it from the Google Play Store, BXAQ collects all of the phone's calendar entries, phone contacts, call logs, and text messages and uploads them to a server, according to expert analysis. The malware also scans the phone to see which apps are installed, and extracts the subject’s usernames for some installed apps. Do you know any other cases of government malware? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on [email protected], or email [email protected]
The app does not try to hide itself. Instead, it displays an icon on the device's app select screen, suggesting that it is designed to be removed from the phone after use by the authorities."This is yet another example of why the surveillance regime in Xinjiang is one of the most unlawful, pervasive, and draconian in the world," Edin Omanovic, state surveillance programme lead at Privacy International said.
"Modern extraction systems take advantage of this to build a detailed but flawed picture into people’s lives. Modern apps, platforms, and devices generate huge amounts of data which people likely aren’t even aware of or believe they’ve deleted, but which can still be found on the device. This is highly alarming in a country where downloading the wrong app or news article could land you in a detention camp," he added.
A screenshot of the app on the Android home screen.
The Süddeutsche Zeitung reporter said they saw machines that appeared to be for searching iPhones at the border.
A screenshot of the app scanning for files."The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism. Chinese law defines terrorism and extremism in a very broad and vague manner. For example, terrorism charges can stem from mere possession of 'items that advocate terrorism,' even though there is no clear definition of what these materials may be," Wang from Human Rights Watch said.
One of the scanned files is The Syrian Jihad, a book written by Charles Lister, a leading terrorism scholar and senior fellow and director of the Countering Terrorism and Extremism program at the Middle East Institute.
"This is news to me!" Lister wrote in an email. "I’ve never had any criticism for the book—in fact, in all honesty, the opposite.""Instead, I suspect China’s authorities would find anything with the word 'jihad' in the title to be potentially suspicious," he added. "The book covers, albeit minimally, the role of the Turkistan Islamic Party in Syria, which may also be a point of sensitivity for Beijing. I’ve met with and engaged with Chinese officials to brief them on these issues, so I’m not aware of any problem Beijing would have with me." "This is yet another example of why the surveillance regime in Xinjiang is one of the most unlawful, pervasive, and draconian in the world." Motherboard previously covered JingWang, a piece of malware installed on devices in the Xinjiang region of China. Authorities typically installed JingWang on phones belonging to the Muslim Uighur population, and the app also scanned a phone for a similar particular set of files. According to expert analysis, the list of hunted files in BXAQ overlaps somewhat, but not entirely, with those that JingWang searches for, but BXAQ goes further. Chinese authorities did not respond to a request for comment. Neither did Ninjing FiberHome StarrySky Communication Development Company Ltd, the partly state-owned company that developed the app. "There is an increasing trend around the world to treat borders as law-free zones where authorities have the right to carry out whatever outrageous form of surveillance they want," Omanovic said. "But they’re not: the whole point of basic rights is that you’re entitled to them wherever you are. Western liberal democracies intent on implementing increasingly similar surveillance regimes at the border should look to what China is doing here and consider if this is really the model of security they want to be pursuing."
Subscribe to our new cybersecurity podcast,CYBER.