Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

China routinely installs secret surveillance app on tourists’ phones when they visit region of Muslim ‘re-education’ camps

Software gathers all stored text messages, call records, contracts and calendar entries, checking files against list of 73,000 frequently benign banned items 

Raymond Zhong
Wednesday 03 July 2019 11:29 BST
Children walk in shadow of surveillance cameras in heavily policed Xinjiang region, where Chinese officials are installing secret software into visitors' phones to gather data in crack down on Muslims' freedoms
Children walk in shadow of surveillance cameras in heavily policed Xinjiang region, where Chinese officials are installing secret software into visitors' phones to gather data in crack down on Muslims' freedoms (AFP)

China has turned its western region of Xinjiang into a police state with few modern parallels, employing a combination of high-tech surveillance and enormous manpower to monitor and subdue the area’s predominantly Muslim ethnic minorities.

Now, the digital dragnet is expanding beyond Xinjiang’s residents, ensnaring tourists, traders and other visitors — and digging deep into their smartphones.

A team of journalists from The New York Times and other publications examined a policing app used in the region, getting a rare look inside the intrusive technologies that China is deploying in the name of quelling Islamist radicalism and strengthening Communist Party rule in its far west.

The use of the app has not been previously reported.

China’s border authorities routinely install the app on smartphones belonging to travellers who enter Xinjiang by land from Central Asia, according to several people interviewed by the journalists who crossed the border recently and requested anonymity to avoid government retaliation.

Chinese officials also installed the app on the phone of one of the journalists during a recent border crossing. Visitors were required to turn over their devices to be allowed into Xinjiang.

The app gathers personal data from phones, including text messages and contacts. It also checks whether devices are carrying pictures, videos, documents and audio files that match any of more than 73,000 items included on a list stored within the app’s code.

Those items include Islamic State publications, recordings of jihadi anthems and images of executions.

But they also include material without any connection to Islamic terrorism, an indication of China’s heavy-handed approach to stopping extremist violence.

There are scanned pages from an Arabic dictionary, recorded recitations of Quran verses, a photo of the Dalai Lama and even a song by a Japanese band of the earsplitting heavy-metal style known as grindcore.

“The Chinese government, both in law and practice, often conflates peaceful religious activities with terrorism,” Maya Wang, a China researcher for Human Rights Watch, said.

“You can see in Xinjiang, privacy is a gateway right: Once you lose your right to privacy, you’re going to be afraid of practising your religion, speaking what’s on your mind or even thinking your thoughts.”

The United States has condemned Beijing for the crackdown in Xinjiang, which Chinese officials defend as a non-lethal way of fighting terrorism.

The region is home to many of the country’s Uighur Muslims, a Turkic ethnic group, and the Chinese government has blamed Islamist extremism and Uighur separatism for deadly attacks on Chinese targets.

In the past few years, China has placed hundreds of thousands of Uighurs and other Muslims in re-education camps in Xinjiang.

For the region’s residents, police checkpoints and surveillance cameras equipped with facial recognition technology have imbued life with a corrosive fear of acting out of turn.

With the scanning of phones at the border, the Chinese government is applying similarly invasive monitoring techniques to people who do not even live in Xinjiang or China.

Beijing has said that terrorist groups use Central Asian countries as staging grounds for attacks in China.

Three people who crossed the Xinjiang land border from Kyrgyzstan in the past year said that as part of a lengthy inspection, Chinese border officials had demanded that visitors unlock and hand over their handsets and computers.

On Android devices, officers installed an app called Fengcai (pronounced “FUNG-tsai”), a name that evokes bees collecting pollen.

A copy of Fengcai was examined by journalists from The New York Times; the German newspaper Süddeutsche Zeitung; the German broadcaster NDR; The Guardian; and Motherboard, the Vice Media technology site.

One of the journalists undertook the border crossing in recent months. Holders of Chinese passports, including members of the majority Han ethnic group, had their phones checked as well, the journalist said.

China’s security services are pressing members of the country’s Uighur minority abroad to spy on compatriots

Apple devices were not spared scrutiny. Visitors’ iPhones were unlocked and connected via a USB cable to a hand-held device, the journalist said. What the device did could not be determined.

The journalists also asked researchers at the Ruhr-University Bochum in Germany and the Open Technology Fund, an initiative funded by the US government under Radio Free Asia, to analyse the code of the Android app, Fengcai.

The Open Technology Fund then requested and funded an assessment of the app by Cure53, a cybersecurity company in Berlin.

The app’s simple design makes the inspection process easy for border officers to carry out.

After Fengcai is installed on a phone, the researchers found, it gathers all stored text messages, call records, contacts and calendar entries, as well as information about the device itself.

The app also checks the files on the phone against the list of more than 73,000 items.

This list contains only the size of each file and a code that serves as a unique signature. It does not include the files’ names or other information that would indicate what they are.

But at the journalists’ request, researchers at the Citizen Lab, an internet watchdog group based at the University of Toronto, obtained information about roughly 1,400 of the files by comparing their signatures with ones stored by VirusTotal, a malware-scanning service owned by Google sibling company Chronicle.

Additional files were identified by Vinny Troia, founder of cybersecurity firm NightLion Security; and York Yannikos of the Fraunhofer Institute for Secure Information Technology in Darmstadt, Germany.

Most of the files that the journalists could identify were related to Islamic terrorism: Islamic State recruitment materials in several languages, books written by jihadi figures, information about how to derail trains and build homemade weapons.

Many of the files were more benign. There were audio recordings of Quran verses recited by well-known clerics, the sort of material that many practising Muslims might have on their phones.

There were books about Arabic language and grammar, and a copy of The Syrian Jihad a book about the country’s civil war by researcher Charles R Lister.

Mr Lister said he did not know why the Chinese authorities might consider him or his book suspicious. He speculated that it might only be because the word “jihad” was in the title.

After Fengcai scans a phone, the app generates a report containing all contacts, text messages and call records, as well as lists of calendar entries and of other apps installed on the device. It sends this information to a server.

Support free-thinking journalism and attend Independent events

Two of the people who recently crossed the Xinjiang border said that before officials returned phones to their owners, they took photos of each owner’s passport next to his or her device, making sure that the app was visible on the screen.

This suggests that authorities have been told to be thorough in scanning visitors’ phones, although it was not clear how they were using the information they acquired as a result.

It also could not be determined whether anyone had been detained or monitored because of information generated by the app.

If Fengcai remains on a person’s phone after it is installed, it does not continue scanning the device in the background, the app’s code indicates.

Officials in Xinjiang are now gathering oceans of personal information, including DNA and data about people’s movements. It would not be surprising for the Chinese authorities to want this harvesting of data to begin at the region’s borders.

China’s Ministry of Public Security and the Xinjiang regional government did not respond to faxed requests for comment.

New York Times

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in