Full Report
The advisories say the spyware apps are used to target members of civil society who may oppose China’s state interests.
Analysis Summary
The provided article describes a joint advisory by several governments regarding two specific spyware families found bundled within Android applications. Since the article focuses on the malware and the governmental response rather than attributing the campaign to a specific named threat actor (like APT## or a known threat group alias), the summary will focus on the identified malware campaigns and the likely state-nexus implied by the targeting.
# Threat Actor: Unnamed State-Sponsored Entity (Associated with BadBazaar & Moonshine)
## Attribution & Identity
The activity is strongly implied to be state-sponsored, given the targeting patterns (Uyghurs, Tibetans, civil society opposing China's state interests) and the involvement of intelligence and security agencies from the US, UK, Australia, Canada, Germany, and New Zealand in issuing the advisory. The malware families **BadBazaar** and **Moonshine** have been previously analyzed by firms like Lookout, Trend Micro, and Volexity.
## Activity Summary
A coalition of governments (NCSC/GCHQ, and agencies from AU, CA, DE, NZ, US) issued joint advisories regarding spyware families BadBazaar and Moonshine. These operations involved hiding surveillance malware inside legitimate-looking Android applications, effectively deploying mobile trojans.
## Tactics, Techniques & Procedures
- Deployment via deceptive, legitimate-looking Android applications ("trojan" malware).
- Surveillance capabilities including accessing device cameras, microphones, chats, photos, and location data.
- *(Note: Specific MITRE ATT&CK IDs were not present in the provided text, but the TTPs align with Mobile Malware tactics.)*
## Targeting
- Sectors: Civil society groups, political communities, and minority groups.
- Geography: Implied focus on groups related to or opposing the People's Republic of China (PRC).
- Victims: Uyghurs, Tibetans, and Taiwanese communities.
## Tools & Infrastructure
- Malware families used: **BadBazaar** and **Moonshine** (Spyware/Surveillanceware).
- Infrastructure: Not detailed in the provided snippet (no C2 domains or IPs explicitly mentioned).
## Implications
This activity represents sophisticated, multi-national targeting of vulnerable minority and civil society groups by a likely state actor motivated by political suppression and intelligence gathering against dissidents or opposition groups. The use of widely distributed-looking apps suggests a broad initial infection vector, potentially bypassing standard app store vetting processes or relying on third-party stores.
## Mitigations
- Review and remove any suspicious Android applications matching those identified in the advisories from the UK NCSC and partner agencies.
- Exercise caution when installing applications, especially those aimed at specific political or ethnic communities, to ensure they come from trusted, verifiable sources.
- Monitor mobile devices for unauthorized access to sensitive features (camera, microphone, location).