NCSC Warns of MOONSHINE & BADBAZAAR Malware Attacking Mobile Devices Worldwide

The UK’s National Cyber Security Centre (NCSC) and international partners have issued urgent advisories warning about sophisticated spyware targeting specific communities globally. 

The malware variants, identified as MOONSHINE and BADBAZAAR, are being deployed in surveillance campaigns against Uyghur, Tibetan, and Taiwanese individuals and civil society organizations.

Security researchers have attributed MOONSHINE to the Chinese-backed hacking group POISON CARP (also known as Evil Eye and Earth Empusa), while BADBAZAAR has been linked to APT15 (also known as VIXEN PANDA and NICKEL). 

Both malware families are designed to collect extensive personal data from infected devices.

Sophisticated Surveillance Tools

“We are seeing a rise in digital threats designed to silence, monitor, and intimidate communities across borders,” warned NCSC Director of Operations Paul Chichester in the advisory. “The use of these two forms of spyware is clearly unacceptable.”

The malicious actors deploy their surveillance tools by “trojanizing” legitimate-appearing applications. Some mimic popular platforms like WhatsApp and Skype, while others are standalone apps designed to appeal specifically to targeted communities.

For example, “Tibet One,” an iOS app uploaded to the Apple App Store in December 2021 (since removed), was created to deliver BADBAZAAR spyware to Tibetan users. 

Similarly, “Audio Quran” utilizes MOONSHINE to target Uyghur Muslims by presenting itself as a religious application.

These apps have been promoted in community-specific online forums, including Telegram channels and Reddit communities frequented by potential victims.

Extensive Data Collection Capabilities

Once installed, these surveillance tools can access:

• Device microphones and cameras.
• SMS messages and call records.
• Contact information.
• Photos and media files.
• Real-time location tracking.
• WeChat database files.

The advisory warns that this data “almost certainly provide[s] an opportunity to facilitate digital surveillance and harassment” of targeted individuals.

Cybersecurity agencies jointly published the advisory from six nations: the UK’s NCSC, Australia’s ACSC, Canada’s CCCS, Germany’s BND and BfV, New Zealand’s NCSC-NZ, and the United States’ FBI and NSA.

This coordinated response exemplifies the NCSC’s recent “Cyber League” initiative, which brings together government analysts and industry experts to track emerging cyber threats. 

Protection Recommendations

The NCSC urges at-risk individuals to follow four key protective measures:

• Stay mainstream: Only use official app stores and avoid jailbreaking or rooting devices.
• Stay organized: Regularly review installed apps and their permissions.
• Stay in touch: Report suspicious messages and files to platform providers.
• Stay alert: Exercise caution with links and files shared on social media.

Cybersecurity experts emphasize that while these malware variants specifically target certain groups, the “indiscriminate way this spyware is spread online also means there is a risk that infections could spread beyond intended victims.”

This warning comes amid increasing geopolitical tensions, including recent Chinese military drills around Taiwan and ongoing concerns about human rights in regions like Xinjiang and Tibet.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!