A coalition of cybersecurity global agencies has revealed that over 100 Android apps, and at least one iOS app. Were secretly spyware used to surveil civil society groups viewed as a threat to Chinese state interests. The report names two spyware families—BadBazaar and Moonshine—as the culprits behind this covert campaign.
On Tuesday, the UK’s National Cyber Security Centre (NCSC), a division of intelligence agency GCHQ. Published joint advisories alongside agencies from the U.S., Australia, Canada, Germany, and New Zealand. Their investigation exposes how these sophisticated spy tools were disguised inside legitimate-looking Android apps that functioned as Trojan malware. Once installed, the apps granted attackers sweeping access to users’ phones. Including the camera, microphone, chat logs, photos, and real-time location data.
The victims? Predominantly members of civil society and ethnic minority groups already under intense scrutiny from the Chinese government. According to the NCSC and supporting agencies, Uyghurs, Tibetans, and Taiwanese communities were especially targeted. Along with individuals tied to movements supporting Hong Kong democracy, Falun Gong, and Tibetan and Uyghur rights.
These surveillance apps weren’t just generic decoys. Many were carefully crafted to mimic trusted platforms or appeal directly to the intended victims. The list includes apps disguised as Muslim and Buddhist prayer apps, chat apps like Signal, WhatsApp, and Telegram. As well as productivity and utility tools like Adobe Acrobat Reader.
The spyware operations exploited both Android and iOS platforms, with the iOS app TibetOne making its way onto the Apple App Store as recently as 2021. That app also functioned as a surveillance tool, underscoring how even tightly curated app marketplaces can be compromised when state-backed actors are involved.
These revelations are backed by previous research from cybersecurity firms like Lookout, Trend Micro, and Volexity, along with the digital rights watchdog Citizen Lab. Their past reports have documented how state-linked hacking campaigns routinely target Uyghur Muslims. Who face widespread surveillance and persecution inside China’s Xinjiang region.
The NCSC emphasized that many of these apps were specifically crafted to deceive. Blending in with popular religious or messaging tools to lower suspicion. “The individuals most at risk,” the agency warned, “include anyone connected to Taiwanese independence, Tibetan rights, Uyghur Muslims, democracy advocacy in Hong Kong, and the Falun Gong spiritual movement.”
The newly released list of apps, included in one of the two NCSC documents published Wednesday. Serves as both a warning and a call to action for users and mobile security experts alike. The full list includes more than 100 Android apps, a number of which are still circulating outside mainstream app stores.
This global advisory marks a rare moment of international unity on the issue of state-sponsored spyware, and serves as a stark reminder of how everyday digital tools can be weaponized against activists, minorities, and advocacy groups—all under the guise of convenience.
