BadBazaar and Moonshine malware targets Taiwanese, Tibetan and Uyghur groups, U.K. warns

Two spyware variants are targeting Uyghur, Taiwanese and Tibetan groups and individuals, the U.K.’s National Cyber Security Centre warned in a joint alert Wednesday with Western allies.

Cybersecurity researchers have previously linked the BADBAZAAR and MOONSHINE spyware to the Chinese government. The variants mentioned in Wednesday’s alert trojanize apps that are of interest to the target communities, such as a Uyghur language Quran app, and have appeared in official app stores.

“BADBAZAAR and MOONSHINE collect data which would almost certainly be of value to the Chinese state,” the alert reads. Agencies in Australia, Canada, Germany, New Zealand and the United States, namely the FBI and National Security Agency, collaborated on it.

Groups most at risk include those focused on Taiwanese independence, Tibetan rights, Uyghur Muslims, democracy advocacy and Falun Gong, according to the alert. The espionage tools can access and download information like location data or messages and photos, and can access microphones and cameras on a phone.

BADBAZAAR is mobile malware with both iOS and Android variants, while MOONSHINE is  Android-only. MOONSHINE has been shared through Telegram channels and links sent via WhatsApp. 

“MOONSHINE samples seek permissions which are relevant to the app’s functionality, so may appear unsuspicious, but they also use these permissions to collect information from devices,” a technical analysis states.

The spyware has been drawing attention since at least 2019, when the University of Toronto’s Citizen Lab identified it and said Tibetan groups were receiving malicious links through WhatsApp text exchanges from people posing as journalists and other fake personas.

Beyond official app stores, BADBAZAAR also spreads through social media platforms. It’s been drawing its own attention from cybersecurity researchers since at least 2022 when Lookout identified it.