BadBazaar is a previously unknown mobile threat that is designed to infect Android devices specifically. The threat is mostly equipped with spyware capabilities and appears to be primarily targeting ethnic or religious minorities in China. Its most prominent targets are the Uyghurs located in the Xinjiang autonomous territory. The Uyghur minority has been subjected to extreme oppression and potential human rights violations from the Chinese government, according to international reports.
The BadBazaar threat was first discovered by cybersecurity experts, but additional details were provided in a report by other researchers. According to their findings, the operators of BadBazaar were using the same infrastructure that was part of attack campaigns against the Uyghurs carried out by the APT15 (also known as Ke3chang and Pitty Tiger) cybercriminal group in 2020. By analyzing its Command-and-Control (C2, C&C) infrastructure, the experts were able to discover several connections to the Xi'an Tian He Defense Technology company, a Chinese defense contractor.
Distribution and Threatening Capabilities
The BadBazaar mobile threat was mostly spread via weaponized applications. Researchers estimate that since 2018 at least 111thretening applications have been used to infect Uyghur targets. The applications are from a wide range of categories - from battery optimizers and video players to religious applications and dictionaries. The harmful applications were not able to bypass the security of the official Google Play Store, which suggested that they were mostly hosted and spread via third-party application platforms and corrupted websites.
Once activated on the infected device, BadBazaar will begin collecting various, sensitive information and transmitting it to its C2 infrastructure. The obtained data includes a list of all applications installed on the breached device, its geolocation, contact lists, SMS, WiFi details and more. The attackers could use BadBazaar to get call logs with the associated geolocation data, record phone calls, take arbitrary pictures or exfiltrate chosen files. The malware also could be instructed to access folders typically used to store highly-sensitive information, such as images, chat application messages, chat history and more.