A group of international intelligence and cybersecurity agencies has uncovered a collection of seemingly harmless Android apps that were actually sophisticated surveillance tools designed to spy on individuals critical of China’s government.
On Tuesday, the U.K.’s National Cyber Security Centre (NCSC), part of the intelligence agency GCHQ, joined forces with counterparts from Australia, Canada, Germany, New Zealand, and the United States to issue warnings about two prominent spyware families: BadBazaar and Moonshine.
These malicious tools were embedded within apps that appeared legitimate on the surface—ranging from prayer guides to messaging platforms—but were in fact “Trojanized” spyware.
Once installed, they secretly granted attackers access to sensitive data including photos, chats, GPS location, microphones, and cameras.
The spyware campaigns, which have also been analyzed by cybersecurity experts at Lookout, Trend Micro, Volexity, and the digital watchdog Citizen Lab, reportedly targeted vulnerable communities such as Uyghurs, Tibetans, Taiwanese citizens, and international civil society organizations.
The NCSC warned that the malicious apps were crafted to attract people connected to causes the Chinese state perceives as threats—such as advocacy for democracy, support for Tibetan and Uyghur rights, Taiwanese independence, and movements like Falun Gong.
Many of the apps even mimicked popular platforms like Signal, Telegram, and WhatsApp, or posed as religious and utility tools, including a fake Adobe Acrobat app.
A detailed list published by the NCSC reveals over 100 Android apps involved in this operation.
In addition, a suspicious iOS app called TibetOne, which briefly appeared on Apple’s App Store in 2021, was also highlighted.
Neither Apple nor Google has issued a public response regarding the spyware-laden apps at the time of publication.
