Several government security agencies worldwide are warning people about spyware that has been snooping on mobile phone users' private data. An advisory from the various agencies recently revealed that the spyware variants have been targeting users connected to Taiwanese independence and similar movements. Known as Badbazaar and Moonshine, the two spyware strains have been spoofing legitimate apps to trick unsuspecting victims. [1]
The advisory comes from a host of agencies, including the Australian Cyber Security Centre (part of the Australian Signals Directorate), the Canadian Centre for Cyber Security (part of the Communications Security Establishment), the German Federal Intelligence Service, the German Federal Office for the Protection of the Constitution, the New Zealand National Cyber Security Centre (part of the Government Communications Security Bureau), and the FBI and NSA in the US.
The agencies stated that the spyware targets individuals connected to areas the Chinese government considers a threat to their authority, ambitions, and reputation. People most at risk include anyone associated with Taiwanese independence, Tibetan rights, Uyghur Muslims, and other ethnic minorities from China's Xinjiang Uyghur Autonomous Region, democracy advocates in Hong Kong and elsewhere, and the Falun Gong spiritual movement.
Though aimed at non-governmental organizations (NGOs), journalists, businesses, and individuals who advocate for or represent the targeted groups, the spyware spreads randomly. It could expand beyond the targeted victims to other mobile phone users worldwide.
See: https://redskyalliance.org/xindustry/chinese-apt-groups-targeting-chinese-muslims-and-ngos
Like any spyware, Badbazaar and Moonshine attempt to compromise a mobile device to steal confidential or sensitive information. These variants aim to access location data with real-time tracking, the microphone and camera, photos, and other files saved on the phone, and device information. The cybercriminals behind this attack try to make the spyware appear legitimate by uploading it to official app stores like Google Play and Apple's App Store or by adding malicious code to otherwise benign apps.
In campaigns observed over the past few years, Badbazaar and Moonshine spyware spoofed apps such as Adobe Acrobat, Signal, Skype, SwiftKey keyboard, Telegram, and WhatsApp. They've also impersonated apps that would interest the intended victims, including Buddhist Songs, an English-to-Uyghur dictionary, Singing Bowl Sounds, Tibetan Prayer, and a Uyghur Keyboard.
Though these spyware strains target specific groups, malicious apps can threaten anyone. The advisory offers several recommendations on how to protect yourself.
- Download apps only from official app stores. To be safe, limit your downloads to Google Play or Apple's App Store. Apps from official stores can still be malicious. But those from unofficial stores offer no protection or security at all. Check out the NCSC's threat report on app stores to learn more.
- Keep your device and apps up to date. Download and install the latest security updates for your mobile device. Consider enabling automatic updates to grab them as soon as they're available. For more tips, review the NCSC's top tips for staying secure online.
- Don't jailbreak or root your device. Tempting though it may be, jailbreaking your iPhone or rooting your Android phone bypasses the built-in security defenses, leaving the device more vulnerable to malware and compromise.
- Review your apps and their permissions. Restrict or remove any permissions that aren't necessary for a particular app, especially ones that involve the camera or microphone. Here's how to do that on an iPhone and an Android device.
- Use Google Play Protect. If you download Android apps from Google Play, ensure Google Play Protect is turned on. By enabling the "Improve harmful app detection" option, you can send an unknown or suspicious app to Google for analysis. For help, check out Google's support page on how to keep your apps safe and your data private.
Moonshine spyware is particularly insidious, employing sophisticated techniques to infiltrate devices and evade detection. Its primary goal is to compromise the security of mobile devices, thereby gaining unauthorized access to sensitive information. This could include real-time location data, conversations recorded by the microphone, photos and files stored on the device, and detailed device information.
One of the most concerning aspects of Moonshine spyware is its ability to masquerade as legitimate applications. By disguising itself as well-known apps such as Signal, Skype, WhatsApp, or even culturally specific apps like Tibetan Prayer or Uyghur Keyboard, it lures unsuspecting users into installing it. Once installed, it can perform its malicious activities undetected.
The cybercriminals behind Moonshine utilize various distribution methods to ensure their spyware reaches the intended targets. They may upload the infected apps to official app stores, like Google Play and Apple's App Store, or incorporate malicious code into otherwise harmless apps. This makes it challenging for users to recognize the threat and avoid downloading the compromised applications.
To protect yourself from Moonshine spyware, follow the advisory's recommendations: only download apps from official app stores, keep your device and apps up to date, avoid jailbreaking or rooting your device, review app permissions regularly, and enable Google Play Protect for an extra layer of security. Taking these precautions can reduce the risk of falling victim to this dangerous spyware.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
https://www.zdnet.com/article/5-ways-to-avoid-spyware-disguised-as-legit-apps-before-its-too-late/
© 2025 Red Sky Alliance Corporation. All rights reserved.
Comments