Intelligence agencies from the UK, US, Canada, Germany, Australia, and New Zealand have exposed a disturbing global spyware campaign aimed at silencing dissent.
Malicious apps, designed to look like everyday tools, have been quietly spying on activists, minority groups, and critics of the Chinese government.
This isn’t the typical data breach story we are used to. It’s deeper. Covert. Targeted. And deliberate.
In a joint advisory issued on Tuesday, the UK’s National Cyber Security Centre (NCSC), backed by GCHQ, revealed that two spyware software—BadBazaar and Moonshine—have been embedded inside Android apps that appear safe.
These apps were carefully built to mirror popular tools like Telegram, WhatsApp, Adobe Acrobat, and even religious apps designed for Muslims and Buddhists.
These digital decoys were more than just annoying malware. They turned phones into portable surveillance devices—recording conversations, tracking movements, stealing photos, and reading private messages. And all of it happening without the user’s knowledge.
The spyware wasn’t scattered randomly across app stores. It had a purpose and targets.
The reports say the apps were used to zero in on Uyghur Muslims, Tibetans, Taiwanese independence activists, and supporters of Hong Kong’s pro-democracy movement and the Falun Gong spiritual group. Most of the targets live outside China, but their work or beliefs are seen by Beijing as threats to national stability.
Let’s not sugar-coat it—this is state-level digital stalking.
“These apps specifically target individuals internationally who are connected to topics that are considered by the Chinese state to pose a threat to its stability, with some designed to appeal directly to victims or imitate popular apps,” the NCSC stated.
The two spyware families seen on android apps have been previously dissected by cybersecurity outfits like Trend Micro, Lookout, and Volexity, as well as Citizen Lab, a nonprofit watchdog that has long tracked Chinese cyber activity.
BadBazaar, for instance, is known to have disguised itself as encrypted messengers and file-sharing apps. Moonshine, on the other hand, reportedly posed as a custom-built suite of tools tailored for certain targets, including Tibetans.
In total, over 100 Android apps were identified. The decoys included everything from prayer apps and language learning tools to document readers and chat platforms. One iOS app, TibetOne, even made its way to Apple’s App Store back in 2021.
Google and Apple have yet to comment publicly on whether the listed apps have been removed or how many users might have been affected.
The advisory reiterates that the tools we trust to communicate and organise can be twisted into weapons of surveillance.
