Cybersecurity researchers said they have found evidence of Chinese spyware in Uyghur-language apps that can track the location and harvest the data of Uyghurs living in China and abroad.
Uyghurs are a Turkic Muslim minority predominantly in China’s northwestern region of Xinjiang, where a recent UN report said Beijing may have committed crimes against humanity.
The United States and lawmakers in other Western countries say China’s treatment of the Uyghurs amounts to genocide.
A Thursday report by San Francisco-based cybersecurity firm Lookout claims that since 2018, multiple Uyghur-language Android apps have been found to be infected with two strains of spyware linked to Chinese state-backed hacker groups.
They include dictionaries, religious apps, maps and even pirated versions of WhatsApp available on third-party stores or shared on Uyghur-language channels on Telegram.
They were not available on the official Google Play store, which is blocked in China, leading Chinese users to use third-party app stores.
The spyware enabled hackers to collect sensitive data including a user’s location, contacts, call logs, text messages and files, the report said, and could also take photos and record calls.
Researchers said the apps could have been used to detect evidence of religious extremism or separatism, for which Uyghurs have been imprisoned, some for decades, as part of a sweeping anti-terrorism crackdown in Xinjiang which observers say amounts to a mass detention campaign.
Large Uyghur diaspora populations also live in central Asia and Turkey.
“The campaign appears to primarily target Uyghurs in China. However, we found evidence of broader targeting of Muslims and Uyghurs outside of Xinjiang,” the report said.
“Several of the samples we analyzed masqueraded as mapping apps for other countries with significant Muslim populations, like Turkey or Afghanistan.”
For years, China has engaged in mass monitoring of Uyghurs in Xinjiang, creating a province-wide surveillance platform that vacuums Uyghurs’ personal data from their phones and tracks their movements through facial recognition.
Several Chinese surveillance and camera firms have been sanctioned by the US for alleged complicity in human rights violations.
Uyghurs living abroad have spoken of attempts at cross-border surveillance and coercion from Chinese police back in Xinjiang.
Liu Pengyu, a spokesperson at the Chinese Embassy in Washington, told Bloomberg News “we oppose wild guesses and malicious slurs against China”, adding the country opposes “all forms of cyber attacks”.
Samples of the infected apps were dated from 2018 onwards, and the vast majority of apps infected with one strain of spyware were discovered in the second half of this year, the report said.
“Despite growing international pressure, Chinese threat actors operating on behalf of the Chinese state are likely to continue to distribute surveillanceware targeting Uyghur and Muslim mobile device users through Uyghur-language communications platforms,” Lookout researchers wrote.
