Staff Reporters
Oct 14, 2019

Chinese Communist Party reported to have ‘back door’ access to 100 million users' phones

The party is allegedly able to access extensive data on more than 100 million mobile phones through its propaganda app, with Alibaba potentially behind the 'questionable' code.

President Xi Jinping leads the Communist Party of China
President Xi Jinping leads the Communist Party of China

The Communist Party of China appears to have code written into a propaganda app that allows it “superuser” access to all the data on the mobile phones on which it is downloaded.

Cure53, a German cybersecurity firm, conducted analysis of the code in the app and found that it enables the owners of the app to retrieve every message and photo from a user's phone, browse their contacts and internet history, and activate an audio recorder inside the device, according to the firm's report.

The firm was contracted to investigate the app by the Open Technology Fund, an initiative funded by the US government under Radio Free Asia.

Sarah Aoun, director of technology at the Open Technology Fund told the Washington Post that it means the Party essentially has access to the user data of over 100 million people, noting that the Chinese government is expanding its surveillance of citizens' day-to-day lives.

The app, called 'Study the Great Nation', was launched by the Communist Party in January and quickly became the most downloaded app on Apple’s app store in China, and on several Android app stores (Google and its Play Store are blocked in China). It has reportedly been downloaded on more than 100 million devices.

The app contains news articles and videos, many of them about Xi's activities or his ideology, 'Xi Jinping Thought'. Users of the app are rewarded with "study points" which can be redeemed for gifts in the app.

Cure53 said it managed to prove through its analysis of the ‘Study the Great Nation’ app one case of a clear human rights violation, according to the European Convention on Human Rights.

In its report, it said the app collects the following information on its users:

  • General information about the phone (IMEI, device model, brand, device ID, AppKey, info on whether the device is rooted)
  • Connection information (Wifi-SSID, carrier, VPN-check)
  • User-information (UIDs, cookies, session-IDs, Event-, Page- and Track-IDs, calls, call statistics, contacts)
  • Location
  • Running processes and services

“Given that the majority of citizens run this application, it essentially gives the government the capacity to determine - among other information - the location of every citizen at any single point in time,” the report read.

The app also contains code resembling a back door “which is able to run arbitrary commands on citizen phones with superuser privileges,” the report said. The firm said it was “difficult to justify" why an educational app would require this code. However, no evidence of usage could be identified during the test. The firm said further investigation is required to determine whether the code is used to perform malicious activities.

It suggested that Alibaba, the official maintainer of the app, appears to be the architect of the questionable artifacts found in the code.

The app also has all the capabilities it would need for more invasive mass data collection, Cure53 found, since many of its features requires permissions such as location, face recognition, microphone and camera access, call log and contact processing.

“The scale and potential to exploit this through hidden functionality in the obfuscated code should be the subject of further investigation,” the firm concluded.


Related Articles

Just Published

14 hours ago

Purpose, laughs, and boppable tunes: Spikes jury ...

SPIKES ASIA X CAMPAIGN: Presidents and members of several Spikes Asia juries share the top trends they spotted in the jury Zoom rooms, with video examples.

14 hours ago

Crash Course: How to tell engaging short-form stories

To round off a week of creativity-themed content during Spikes Asia X Campaign festival, this Crash Course provides useful tips on how to build story arcs and create thumb-stopping campaigns for short-form.

14 hours ago

Lessons from Tesla, Apple and yoga (yes, yoga) in ...

SPIKES ASIA X CAMPAIGN: Creatives need to drive relevance for sustainable options, instead of virtue-signalling about sustainability, argues Gulshan Singh of FCB Interface.

14 hours ago

Spikes Asia Awards 2021: Campaign's contenders 3

As the juries make their final selections ahead of the March 1 winners announcement, Campaign Asia-Pacific's editorial team has once again scoured through the 2021 shortlist to pick out the work we expect to win.