The Communist Party of China appears to have code written into a propaganda app that allows it “superuser” access to all the data on the mobile phones on which it is downloaded.
Cure53, a German cybersecurity firm, conducted analysis of the code in the app and found that it enables the owners of the app to retrieve every message and photo from a user's phone, browse their contacts and internet history, and activate an audio recorder inside the device, according to the firm's report.
The firm was contracted to investigate the app by the Open Technology Fund, an initiative funded by the US government under Radio Free Asia.
Sarah Aoun, director of technology at the Open Technology Fund told the Washington Post that it means the Party essentially has access to the user data of over 100 million people, noting that the Chinese government is expanding its surveillance of citizens' day-to-day lives.
The app, called 'Study the Great Nation', was launched by the Communist Party in January and quickly became the most downloaded app on Apple’s app store in China, and on several Android app stores (Google and its Play Store are blocked in China). It has reportedly been downloaded on more than 100 million devices.
The app contains news articles and videos, many of them about Xi's activities or his ideology, 'Xi Jinping Thought'. Users of the app are rewarded with "study points" which can be redeemed for gifts in the app.
Cure53 said it managed to prove through its analysis of the ‘Study the Great Nation’ app one case of a clear human rights violation, according to the European Convention on Human Rights.
In its report, it said the app collects the following information on its users:
- General information about the phone (IMEI, device model, brand, device ID, AppKey, info on whether the device is rooted)
- Connection information (Wifi-SSID, carrier, VPN-check)
- User-information (UIDs, cookies, session-IDs, Event-, Page- and Track-IDs, calls, call statistics, contacts)
- Running processes and services
“Given that the majority of citizens run this application, it essentially gives the government the capacity to determine - among other information - the location of every citizen at any single point in time,” the report read.
The app also contains code resembling a back door “which is able to run arbitrary commands on citizen phones with superuser privileges,” the report said. The firm said it was “difficult to justify" why an educational app would require this code. However, no evidence of usage could be identified during the test. The firm said further investigation is required to determine whether the code is used to perform malicious activities.
It suggested that Alibaba, the official maintainer of the app, appears to be the architect of the questionable artifacts found in the code.
The app also has all the capabilities it would need for more invasive mass data collection, Cure53 found, since many of its features requires permissions such as location, face recognition, microphone and camera access, call log and contact processing.
“The scale and potential to exploit this through hidden functionality in the obfuscated code should be the subject of further investigation,” the firm concluded.