Chinese border control officers now physically install a spyware app on Android phones of foreigners entering through the northwest Xinjiang region, which is home to the heavily surveilled Muslim Uyghur population.
When tourists and business people enter China from Kyrgyzstan by land, they’re required to hand over their smartphones at border security without prior notice. At this point guards physically install malware on the devices called BXAQ or Fengcai, which roughly translates to bees collecting pollen.
Details of the malware were uncovered in a joint investigation by the Guardian, New York Times, German broadcaster NDR, Süddeutsche Zeitung, and Vice.
While the process is shocking, foreign visitors can expect heavier surveillance when entering China. One foreigner whose device had been implanted with the malware told the Guardian: “If they were doing it in my home country I would be aghast, but when you are travelling to China you know it might be like this.”
German security firm cure53 was commissioned by the US-based Open Technology Fund (OTF) and the University of Toronto’s Citizen Lab commissioned to audit BXAQ.
The security firm says the Chinese state malware is hosted on the same server as the JingWang and IJOP app, which Xinjiang Uyghurs are forced to install on their phones as part of a mass surveillance campaign that includes a ton of street cameras.
Cure53 found that BXAQ collects a phone’s contacts, text messages, call history, calendar entries, unique device information, details about installed apps, and more. That information is then transmitted to the police server without encryption.
BXAQ uses the default icon for Android apps, so there’s no attempt to hide the malware from the user because it’s only active during the device scan by the border guard.
However, cure53 concludes that “BXAQ is more intrusive than JingWang”, essentially because border guard can install it at will when the device has been seized.
In total, the malware scans for 73,000 different files that could, in China’s view, suggest a link to Islamic terrorism. However, it also scans for unrelated files concerning sensitive territorial issues for China, including Taiwan, Tibet and the Delai Lama.
And, according to the Guardian, it also scans for files about fasting during Ramadan and a tune by a Japanese metal band, Unholy Grave. iPhones are also scanned at the border but are plugged into a separate machine, rather than installing malware.
Sueddeutsche reports that all foreigners arriving to Xinjiang by land are asked at the border to unlock their phone and then officers take device to a separate room where guards install the malware and scan the device.
After completing the scan, the malware app’s data is wiped completely from the device wit the exception of a file called /sdcard/android/cjlog.txt, which is encrypted and contains a log of previous scans, according to cure53.
As Vice reported today, Android antivirus providers including Avast, Check Point, McAfee, and Symantec now detect BXAQ as malware.