China’s spyware at the border targets foreign travelers

Credit: ID 132366180 © M-sur |

Chinese border control officers now physically install a spyware app on Android phones of foreigners entering through the northwest Xinjiang region, which is home to the heavily surveilled Muslim Uyghur population. 

When tourists and business people enter China from Kyrgyzstan by land, they’re required to hand over their smartphones at border security without prior notice. At this point guards physically install malware on the devices called BXAQ or Fengcai, which roughly translates to bees collecting pollen. 

Details of the malware were uncovered in a joint investigation by the Guardian, New York Times, German broadcaster NDR, Süddeutsche Zeitung, and Vice. 

While the process is shocking, foreign visitors can expect heavier surveillance when entering China. One foreigner whose device had been implanted with the malware told the Guardian: “If they were doing it in my home country I would be aghast, but when you are travelling to China you know it might be like this.” 

German security firm cure53 was commissioned by the US-based Open Technology Fund (OTF) and the University of Toronto’s Citizen Lab commissioned to audit BXAQ. 

The security firm says the Chinese state malware is hosted on the same server as the JingWang and IJOP app, which Xinjiang Uyghurs are forced to install on their phones as part of a mass surveillance campaign that includes a ton of street cameras. 

Cure53 found that BXAQ collects a phone’s contacts, text messages, call history, calendar entries, unique device information, details about installed apps, and more. That information is then transmitted to the police server without encryption. 

BXAQ uses the default icon for Android apps, so there’s no attempt to hide the malware from the user because it’s only active during the device scan by the border guard. 

However, cure53 concludes that “BXAQ is more intrusive than JingWang”, essentially because border guard can install it at will when the device has been seized. 

In total, the malware scans for 73,000 different files that could, in China’s view, suggest a link to Islamic terrorism. However, it also scans for unrelated files concerning sensitive territorial issues for China, including Taiwan, Tibet and the Delai Lama.

And, according to the Guardian, it also scans for files about fasting during Ramadan and a tune by a Japanese metal band, Unholy Grave. iPhones are also scanned at the border but are plugged into a separate machine, rather than installing malware. 

Sueddeutsche reports that all foreigners arriving to Xinjiang by land are asked at the border to unlock their phone and then officers take device to a separate room where guards install the malware and scan the device.   

After completing the scan, the malware app’s data is wiped completely from the device wit the exception of a file called /sdcard/android/cjlog.txt, which is encrypted and contains a log of previous scans, according to cure53.  

Read more: Researchers probe shady, dangerous stalkerware app industry

As Vice reported today, Android antivirus providers including Avast, Check Point, McAfee, and Symantec now detect BXAQ as malware.  

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags malwareChinaspywaresymantecmcafeeMalwarebytes

More about AvastCheck PointMcAfeeSymantecTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts