Malicious apps, designed to look like everyday tools, have been quietly spying on activists, minority groups, and critics of the Chinese government.

This isn’t the typical data breach story we are used to. It’s deeper. Covert. Targeted. And deliberate.

In a joint advisory issued on Tuesday, the UK’s National Cyber Security Centre (NCSC), backed by GCHQ, revealed that two spyware software—BadBazaar and Moonshine—have been embedded inside Android apps that appear safe. 

These apps were carefully built to mirror popular tools like Telegram, WhatsApp, Adobe Acrobat, and even religious apps designed for Muslims and Buddhists.

These digital decoys were more than just annoying malware. They turned phones into portable surveillance devices—recording conversations, tracking movements, stealing photos, and reading private messages. And all of it happening without the user’s knowledge.

The spyware wasn’t scattered randomly across app stores. It had a purpose and targets.

The reports say the apps were used to zero in on Uyghur Muslims, Tibetans, Taiwanese independence activists, and supporters of Hong Kong’s pro-democracy movement and the Falun Gong spiritual group. Most of the targets live outside China, but their work or beliefs are seen by Beijing as threats to national stability.

Let’s not sugar-coat it—this is state-level digital stalking.

“These apps specifically target individuals internationally who are connected to topics that are considered by the Chinese state to pose a threat to its stability, with some designed to appeal directly to victims or imitate popular apps,” the NCSC stated.

The two spyware families seen on android apps have been previously dissected by cybersecurity outfits like Trend Micro, Lookout, and Volexity, as well as Citizen Lab, a nonprofit watchdog that has long tracked Chinese cyber activity.

BadBazaar, for instance, is known to have disguised itself as encrypted messengers and file-sharing apps. Moonshine, on the other hand, reportedly posed as a custom-built suite of tools tailored for certain targets, including Tibetans.

In total, over 100 Android apps were identified. The decoys included everything from prayer apps and language learning tools to document readers and chat platforms. One iOS app, TibetOne, even made its way to Apple’s App Store back in 2021.

Google and Apple have yet to comment publicly on whether the listed apps have been removed or how many users might have been affected.

The advisory reiterates that the tools we trust to communicate and organise can be twisted into weapons of surveillance.

Unfortunately, with an increase in digital app use comes an increase in data security threats. More than 50% of all consumers have been victims of cybercrime, with 1 in 3 falling victim in 2021 alone.

As such, it is crucial for mobile app developers to start taking extra cybersecurity measures into consideration. When designing a successful app, most companies and developers will prioritize UI/UX design and coding for a better user experience, but it is clear that cybersecurity is just as essential, if not more so.

With sensitive user data and even company data becoming more at risk, companies cannot afford to skimp on cybersecurity.

Cyber Attacks Are Increasing With App Use

Apps have access to a significant amount of sensitive data, which is why most cyber attacks stem from vulnerabilities in mobile apps.

Cybercriminals purposely seek out weak spots, and mobile apps are a prime target because it’s an easy way for them to gain access to user data.

And because mobile apps are an easy target, mobile malware and other cyber threats are increasing. Mobile malware in Europe, alone, has experienced a 500% increase.

However, it’s important to note that while the majority of these cyber threats stem from mobile apps, they can also occur with web apps as well.

Web apps are starting to trend in B2B and B2C companies as they seek ways to make apps more accessible without requiring users to overload their phones with native mobile apps.

Just because web apps don’t require as many permissions and access to data, however, this doesn’t mean they don’t have vulnerabilities that can’t be exploited. In fact, research shows that numerous web apps are already exploited every year, including Java, Adobe Flash, and PDF.

This means that while mobile app security should be a priority, web app security is also important and should be considered. Apps that are cloud-based keep data more secure, in general, but there are still risks that stem from trusting a third party to house said data.

Essentially, any application that is accessed digitally — whether it’s on a mobile phone or a computer browser — can and likely will be targeted if vulnerabilities are not addressed.

Common App Security Threats To Keep in Mind

When developing an app, it’s important to get into the mind of a cybercriminal to see the vulnerabilities that they see.

If you only think like a developer, you will likely only design in a way that creates the coolest features, not the safest features — but safety is just as important, if not more so. It won’t matter if you have the best app on the market if it ends up compromising and exploiting user data.

So, think like an attacker and a developer when designing new apps. Ask yourself what code and design will work best for a satisfactory user experience and user safety. The following are some of the most common app security issues and threats to keep in mind.

Weak Code

It’s not uncommon for developers to use third-party libraries for code building. But borrowed code can very easily have flaws that contain malicious code or other vulnerabilities. Thus, it’s important for developers to double-check borrowed code for any issues. Just because it’s coming from a reputable site doesn’t mean it’s without flaws.

Failure To Encrypt Data Storage

The biggest issue that leads to data theft is unreliable and insecure data storage. Apps access and store so much private information, and if that data is not adequately encrypted, it puts users at risk.

Shockingly, studies have found that 76% of apps fail to meet data storage security standards. This is all too common for app users to go through, and a more secure app will only increase the number of downloads. Securing data storage should be a top priority when developing a new app.

Weak Authorization

While bad password habits are a user problem, app developers should account for this by creating more secure authorizations. This can be done by using a two-factor authentication process or by using biometrics, such as a thumbprint or face scan.

It’s also wise to use central authorization for the entire API, as information caches are a common target for cybercriminals trying to gain access. Only use authorized APIs in the app code.

Tamper Alerts

Tamper alerts can be incredibly helpful as they can notify users and developers of any issues so they can be handled in a timely manner.

You should set up alerts, for example, that enable users to be notified when someone uses their credentials to gain access from an unauthorized device. You can also set up alerts that notify the developers when the code has been modified or changed.

Penetration Testing

Even if you develop your app with cybersecurity in mind, mistakes can still happen. Do not automatically assume your app is threat-free, even if you took extra measures to secure your app. So before you launch, it’s crucial that you run penetration testing to double-check for any weak points or vulnerabilities. You should also run penetration tests any time the code is updated.

Final Thoughts

A successful app is a secure app. As we move into an age where more and more of our data is shared and stored online, especially through apps, it is crucial that companies and developers take extra precautions to protect that data. Even if your app has superior UI and UX design, it won’t matter if using your app results in data theft, putting your users at risk.

[Lead Image Source: Pexels]