How China uses malware to track Muslim Uighurs, even if they’ve fled the country

Workers in hard hats and construction vests walking by a fence.

China’s campaign against its Muslim minorities — especially the Uighurs who live in the western province of Xinjiang — is well-documented

As 2 million Muslim Uighurs have been reportedly been incarcerated in re-education camps, officially known as “vocational training centers.” And members of the Uighur diaspora living outside of China say the government’s mass surveillance apparatus makes it impossible to have a conversation with family members in Xinjiang without officials listening in.

Related: ‘I just couldn’t sleep’: Uighur activist calls for China to stop targeting minorities 

The suppression of Uighurs has prompted international condemnation around the world. Now, a new report by Lookout, a San Francisco mobile security firm, has found that China has been using software to track Uighurs and their diaspora since 2013 — much earlier than previously known.

Researchers at Lookout learned hackers created tools disguised as third-party apps to tap into phones in Xinjiang, which then allowed for the ability to record and export information. The malware followed Uighurs even as they fled repression in China to countries across the world. 

Apurva Kumar, a security researcher with Lookout and a co-author of the report, spoke with The World’s host Marco Werman about the firm’s findings on the Chinese government’s surveillance of Uighurs. 

Marco Werman: What do the new findings in this report tell us about how aggressive the Chinese government’s surveillance campaign is against the Uighurs?

Apurva Kumar: The new findings that we talk about in our report here actually showcase four separate malware families that have never been discovered or discussed before. And we know that the targeting is actually quite widespread, and it is also not limited only to China and Uighurs, but may also be targeted towards Tibetans and also Uighur populations outside of China. And yet the topic of those apps is still bent towards Uighurs or Muslim communities, which tells us that there is a certain focus of these communities worldwide.

So how is it different than Chinese officials, for example, listening in to or watching phone calls between Uighur families and text messages?

The difference here is that the software is installed on their mobile devices and is taking this information without their knowledge specifically on that application, nowhere does it warn you that this is going to be the case. I presume that if you are in China and you’re on the phone, you suspect, obviously, that data is going somewhere. But presumably on a secure messaging application or, let’s say, on a keyboard application, you’re not suspecting it to take all of your contacts and call logs.

Related: Uighur restaurant owner speaks out: ‘I should fight for my father’

As far as Uighurs, though, and Muslim minorities in western China, if this was happening before, many thought it was this surveillance. Does that change the timeline of what we thought we knew of China’s repression of Uighurs?

I think people understood very well that Uighurs within China were being monitored in whatever way they were given public reporting. But I think what’s different here is that it’s actually following the Uighur communities as they go around the world. So through public reporting, we know that there are Uighur communities or Uighur people that have escaped to places like Turkey or Indonesia and Malaysia. And now we see this in the targeting. And I think this is in line with some of the findings that we’ve had.

What surprised you most as you conducted this research?

I guess the most surprising thing about it was that the actors behind all of these malware tools reuse the same servers to conduct all of these different campaigns. So a campaign is usually a malware or software and then a certain target or a group of people being targeted. So what we saw was that there were various communities all around the world or within China that were being targeted. But then the same infrastructure or related infrastructure or servers on the Internet were being used to communicate to all of these things and get all of the user’s personal data. So that was quite surprising to us, the fact that such an advanced actor was able to make a basic mistake like that.

What are Uighur activists to do with this information?

I think it’s very important to understand the risk that you have when you are using a mobile device. It is important to understand that somebody who may be trying to surveil you may be focusing on things that you cannot avoid. For example, Uighurs speak their own language with a specific character set. And this malware specifically focuses on apps that are keyboards or fonts, specifically for Uighur. And so that tells us that they are targeting in a very, very particular way. And most likely Uighur people or Uighur activists are probably communicating in Uighur. And so they need those characters and fonts to communicate with each other. And so it is very important to know how at-risk you might be and exactly what the capabilities of your adversary is in order to protect yourself.

This interview has been condensed and edited. 

Invest in independent global news

The World is an independent newsroom. We’re not funded by billionaires; instead, we rely on readers and listeners like you. As a listener, you’re a crucial part of our team and our global community. Your support is vital to running our nonprofit newsroom, and we can’t do this work without you. Will you support The World with a gift today? Donations made between now and Dec. 31 will be matched 1:1. Thanks for investing in our work!