back to article We are shocked to learn oppressive authoritarian surveillance state China injects spyware into foreigners' smartphones

Authorities in a tumultuous region of China are ordering tourists and other visitors to install spyware on their smartphones, it is claimed. The New York Times reported today that guards working the border with Krygyzstan, in China's Xinjiang region, have insisted visitors put an app called Fengcai on their Android devices – …

  1. Blockchain commentard

    Some enterprising (probably Chinese) programmer should ctreate a dummy program with the same name/icon and preload it on their phones before entering the area. Flash it to the local border guards and be waved through.

    1. Just Enough
      Thumb Down

      Care to risk that?

      I'm sure they'd never catch on to that, and never invite people found with the dummy app into the backroom for special attention.

  2. Kevin McMurtrie Silver badge

    Well, then

    I guess I won't get into China with this 78 GB copy of Wikipedia on my phone.

  3. rcxb Silver badge

    When traveling in Brazil, you should carry a fake phone to hand over when (not if) you are mugged.

    When traveling in China, you should carry a fake phone to hand over to security services when (not if) they want to stalk you and steal all your private information.

    1. jgarbo
      Facepalm

      You don't think they'll run you through scanner to check for other devices? It's not Disneyland.

    2. .stu

      Or just don't walk about at night/downtown/in a favela waving a £1000 phone about. I've been going to Brazil regularly for the last 20 years and I can tell you you just need to use your common sense.

    3. I ain't Spartacus Gold badge

      I can go to China. I've still got Windows Phone 8 on my phone. Bet they've not got an app for that...

      In fact I just got a message flash up today saying that MS are only supporting apps until December, at which point they'll all stop working.

      1. Philip Lewis
        Devil

        A lifetime of VANS phones

        Looks on the shelf.

        N9. That still works for 3G+ telephony and they won't have that

        Xperia X running SFOS. Dump the Android 4.4.x emulation and that'll be safe as well.

        Some old 2G phones around, but not sure if 2G even exists in China

        Any iPhone4 or 3GS will have a version of iOS so old that their fruity app will probably bork - must have one here somewhere?

  4. John 104

    Sure, go ahead and install the app for me. Thanks.

    Walks away, resets phone.

    Problem solved.

    1. Ken Hagan Gold badge

      "Walks away, resets phone. Problem solved."

      Maybe. Maybe not. If the app contains a tracking facility and you "disappear" shortly after leaving border control, you may have trouble getting out again at the end of your visit. I suggest you delay the reset until you are safely back home.

      1. DuncanLarge Silver badge

        > I suggest you delay the reset until you are safely back home

        Too late, damage already done.

        Take a wiped / new smart phone attached to a new account or a feature phone. Leave your digital life outside the border and create a new one inside the border, thus they can simply watch what you get up to inside but have no look in to your real data that remains outside.

        When you leave, wipe the phone and destroy it (responsibly) / give it to the guards to keep.

        Or just get a feature phone. You can tweet via telnet running over a null modem connection to an apple 2 / C64 these days so sending an SMS to tweet should be a piece of cake.

        I give the same advice when going to the USA.

        1. Charles 9

          What's stopping feature phones having telemetry? I'm seeing feature phones with Facebook, after all.

    2. jgarbo
      Facepalm

      Tip: Always assume they are smarter than you. In your case, make it mandatory.

    3. big_D Silver badge

      And if it has installed a rootkit? Reseting the phone won't work, the only way to be sure is to shred it.

  5. elvisimprsntr

    Better yet, pull a Jason Bourne and pay cash for a pre-paid burner phone in country.

    1. Anonymous Coward
      Anonymous Coward

      Pre-paid burner phone ?

      In China ? Those who sell as well as those who buy this stuff wold rather play Russian roulette with 5 bullets in the cylinder. It's way much safer!

    2. Fred Dibnah

      Better yet yet, take a Nokia 3110.

      1. 0laf
        Mushroom

        Going to China (or let's be honest the USA as well) take a burner.

        You know your phone will be examined so don't take it. Take what you need and no more.

        If you're going to the states make sure you've no social media accounts or if you can't remove the app at least remove the account from the device.

        You can use the web for your email at least until you reinstall the app.

        If you going to China really you should expect to need to toss your devices when you get home or at least have them refomatted.

        1. Bonzo_red

          Never had my phone inspected at US border control. Do they insert the software remotely then?

          1. 0laf
            Big Brother

            https://www.theguardian.com/us-news/2017/apr/09/uk-tourists-to-us-may-get-asked-to-hand-in-passwords-or-be-denied-entry

            "Nearly all applicants for US visas will have to submit their social media details under newly adopted rules.

            The State Department regulations say people will have to submit social media names and five years' worth of email addresses and phone numbers.

            When proposed last year, authorities estimated the proposal would affect 14.7 million people annually."

            From the BBC June 19 - https://www.bbc.co.uk/news/world-us-canada-48486672

          2. goodjudge

            US border

            Presumably you're of Caucasian descent, unlike, say, my bearded, darkish-skinned, Spanish, brother-in-law who was regularly pulled for "random" additional security checks when flying on declared academic business. Thankfully he got a promotion before searching phones / social media accounts became the in-thing, and has delegated the US trips to some other poor sod.

        2. DuncanLarge Silver badge

          > If you going to China really you should expect to need to toss your devices when you get home or at least have them refomatted.

          No, chuck them. Never trust the device again. You can "reformat" the main OS but you cant reformat the other OS , the one that handles all the cell connections etc. Those chips are off limits to the likes of most people.

  6. jasonbrown1965

    Meanwhile, in Australia ...

    ... spooks just get their pet pollies to pass backdoor laws.

    You don't even need to bend over!

    1. tjbutt

      Re: Meanwhile, in Australia ...

      I'm still unsure if they'll ever get that to work, or have attempted to yet.

      Unfortunately it's another example of security overreach here.

  7. IGotOut Silver badge

    At least they are open about it...

    Unlike say the Israeli (Pegasus) and Italian (Exodus) spyware that get covertly installed on those pesky human rights folks phones.

    1. Anonymous Coward
      Anonymous Coward

      Re: At least they are open about it...

      To actually reset a phone that may have been compromised, you need the manufacturer specific flashing tools, partition map, and signed image including bootloader, radio firmwares, vendor partition, user partitions, cache, etc and write zeros to every space that isn't specifically repopulated with the original manufacturer programming. Including parts The flash chip that may not be documented or partitioned. It's never enough to simply do a factory reset.

      You have to wipe and Rewrite the entire flash chip in raw write mode.

      1. big_D Silver badge

        Re: At least they are open about it...

        Or simply shred it and buy a new phone. Probably safer.

        1. Claptrap314 Silver badge

          Re: At least they are open about it...

          I think that was the point.

    2. Anonymous Coward
      Anonymous Coward

      Re: At least they are open about it...

      They are open about it just because they want you to know they are spying you - it's a menacing warning, and they can do it as they please.

      Do you believe they don't use covert surveillance when the targets must not know it? How naive...

    3. theModge

      Re: At least they are open about it...

      Italian (Exodus)

      I thought that was made for export as much as domestic use?

    4. Muscleguy

      Re: At least they are open about it...

      During the Scottish IndyRef my Android phone had a strange feature. The phone reported it had much more data on it than adding stuff up or was reported when connected to a laptop. I ran virus checkers, file readers etc and looked for stuff at every level I could (Developer activated).

      Then I got an Android update and it resolved the situation. This was after the vote was over and I have no evidence of anything on my current device.

      When attending meetings of RIC (Radical Independence Campaign) I would ensure the phone was off or just leave it at home. Playing 'who is reporting to MI5' is fun as well. Not assuming any of this stuff happens when much more benign protestors and activists have MI5 files on them would be naive.

  8. Anonymous Coward
    Anonymous Coward

    I thought It had been well established that in this day and age, but if you're traveling internationally, that you don't bring electronic devices with you. You pick up a burner when you get in country, and you ditch it before you leave. They only do it because statistically results in oan uncertain x percentage of success. The key is to make it a lossy operation to the point where other parts of their government and influencing sources push to cut the program as irrelevant and a waste of money.

    If they going to implement such things, it's everyone's personal responsibility responsibility to make sure that it is as pointless and unjustifiably expensive as possible to do so.

    1. Anonymous Coward
      Anonymous Coward

      "I thought It had been well established that in this day and age, but if you're traveling internationally, that you don't bring electronic devices with you."

      And if it's in your job description to bring something electronic with you? Because it contains the very reason for your visit, and not bringing it with you is not an option? And no, a VPN is not an option (because China is already known to bork unsanctioned VPNs and other encrypted connections)?

      1. Anonymous Coward
        Anonymous Coward

        Then you make sure it is a device owned by your employer, so it becomes their problem when you return. They can't make you bring your own personal phone or laptop.

        1. e^iπ+1=0

          They can't make you bring your own personal phone or laptop.

          BYOD. As a condition of employment.

          They can't make you ... you're free to stop working there.

          1. Anonymous Coward
            Anonymous Coward

            Re: They can't make you bring your own personal phone or laptop.

            I have no problem using my personal phone for work (i.e. receiving work related calls on it) since I've ALWAYS done that and have refused any attempts to have me carry a second phone, but I'm not bringing it overseas and having it subject to a search let alone spyware installation. I'd set up a number via skype, rent a burner phone while I'm there and tell work to call me via that skype number. Then I'll turn in my charges for the burner phone rental and skype bill as expenses when I return.

            I'll tell them that's what I plan to do ahead of time - if they don't approve then I'll quit the day I was scheduled to leave on the trip and leave them screwed and scrambling to find someone else to do whatever it was I was supposed to travel for.

      2. theModge

        And no, a VPN is not an option (because China is already known to bork unsanctioned VPNs and other encrypted connections)?

        They try, but the number of Chinese students here in the UK running VPNs for their friends back home would suggest that they're ineffective in cracking down on them. From my colleges who travel it seems that something like your employers corporate VPN will work, even if say nordVPN is blocked. Not that this is a reliable bias for demonstrating your product if it requires a connection to your server at home, but if you're selling to anyone government owned in China you may well find there's a requirement to host your service locally anyway.

      3. Just Enough

        It goes with the job

        "And if it's in your job description to bring something electronic with you?"

        If it's your job, and you are going to China for your job, then your employer must be aware of the risks, and should be taking appropriate precautions. Don't take anything to China that your employer doesn't want the Chinese authorities to see.

        Don't take your personal devices with you, unless you apply the same criteria to your own data on it.

        Either way, don't mix your personal data with your employers data on the same device.

    2. .stu

      You've been watching too many spy movies.

      1. big_D Silver badge

        No, that is the official advice from anti-hacking units.

        A friend's server turned up on a list on a hacker forum. They told him to shred the hardware and do a fresh re-install on a new system and reload the data from a checked backup.

        Their advice for travelling to certain countries was to buy a disposable phone and throw it in the bin at the airport on the way back. The same for any laptop, no sensitive information on it and throw it away when you come back.

        1. Potemkine! Silver badge

          Their advice for travelling to certain countries was to buy a disposable phone and throw it in the bin at the airport on the way back. The same for any laptop, no sensitive information on it and throw it away when you come back.

          Good advice, but it makes the travel a little bit expensive, doesn't it?

          1. big_D Silver badge

            It can. We keep the old laptops and company phones in a cupboard, ready for issue to employees travelling to "at risk" destination. The laptops get a deep delete and re-install when we get them back and aren't connected to the network. No confidential information, they get to work over VPN on the terminal server.

            Likewise, the company phones (mainly old Windows Phones at the moment) get reset and the user can do a factory reset and leave them in the destination land when they are finished. No company email or company data on the phones.

            1. DMcDonnell

              RE: Deep delete.

              Be aware that there is the ability to infect the HDD firmware.

              https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html

              1. big_D Silver badge

                Re: RE: Deep delete.

                Sorry, badly worded on my part. When we get the laptops back at the end-of-life, they are deep deleted, reformatted a new image put on them and put away for such trips. After the trip, the drive is destroyed and the device disposed of.

          2. DropBear

            Any long range plane ticket I've seen so far has been at least one order of magnitude more expensive than a "placeholder", entry-level smartphone; and that's not even talking about feature phones, if you don't absolutely need a smart one...

        2. Charles 9

          The problem becomes if you're not allowed to follow that advise, for example because the amount of data needed for your trip is too large to reliably obtain remotely...

      2. DuncanLarge Silver badge

        > You've been watching too many spy movies.

        Spy movies are fiction, this is real life.

        1. Anonymous Coward
          Anonymous Coward

          Ever heard the phrase, "truth is stranger than fiction"?

  9. Anonymous Coward
    Anonymous Coward

    Finally a use for windows phones

    Presume they havent got an app for that?

  10. Frumious Bandersnatch

    Social Credit

    China has none.

  11. Anonymous Coward
    Anonymous Coward

    Facebook is pre-installed on my phone

    and Samsung and or mobile service provider will not allow me to uninstall it.

    No, it's not in China, it's in a full-blown Western democracy.

    1. big_D Silver badge

      Re: Facebook is pre-installed on my phone

      On mine, I can delete it now (Android 8 and 9 on Huawei), but before that, I could disable it - I also disable most of the Google and manufacturer spyware on my phones as well.

    2. MJI Silver badge

      Re: Facebook is pre-installed on my phone

      I deleted it off mine, soon after did an update and it was reinstalled, with icons on screen and uninstall disabled.

      1. DropBear
        Facepalm

        Re: Facebook is pre-installed on my phone

        So you upgrade your Windows XP to 7 and you're surprised that the calc.exe you deleted is there again...? Because that's what OTA phone system updates are, not some "oh, just change this file here..."

    3. JJKing
      Happy

      Re: Facebook is pre-installed on my phone

      Then swap it for a Nokia AC. It only has a clean O/S straight from The Chocolate Factory. Absolutely ZERO bloatware installed.

      1. Charles 9

        Re: Facebook is pre-installed on my phone

        Wanna bet? I'm seeing Nokias with Facebook on them.

  12. jgarbo

    Surprised it took so long

    That area is a favorite recruiting ground for CIA assets. "Tourists" would be rightly suspected of nefarious intent. The CIA uses Muslim Uighurs in ISIS terror networks thought out the ME and north Africa, so the Chinese are right to be suspicious.

    1. david 12 Silver badge

      Re: Surprised it took so long

      Damn those CIA agents subverting and repressing terrorism in China. We want our Muslims to be free to commit terrorist activities, so that we can round them all up and intern them..

  13. Anonymous Coward
    Anonymous Coward

    Just leave the phone off

    Even better, don't ever visit China or its subsidiaries.

  14. Anonymous Coward
    Anonymous Coward

    "don't ever visit China or its subsidiaries"

    Which, when it comes to free press, it's exactly what China wants. Repression works best in the silence.

    1. Potemkine! Silver badge

      Re: "don't ever visit China or its subsidiaries"

      Repression works best in the silence.

      Everybody knows the horrors committed in North Korea, it does not deter Norks to continue. Knowledge is not a way to stop atrocities. Sadly.

      If there's no money involved, a dictatorship can freely torture, murder, exterminate, nobody will care.

      1. Anonymous Coward
        Anonymous Coward

        "Everybody knows the horrors committed in North Korea"

        Do we? We have scanty reports, second hand information, and North Korea likes to play with that - look at the reports someone has been eliminated and then reappears - it's a tactic to make sources look unreliable.

        Do we have images from their camps? Direct reports from independent journalists? We mostly have some cheerleaders from abroad allowed to visit it - and only see what they want you to see.

      2. DropBear

        Re: "don't ever visit China or its subsidiaries"

        There's a huge difference between open knowledge of shittery committed existing _outside_ and _inside_ a dictatorship. They generally tend to not give a shadow of a flying fsck about what people outside know (well they do prefer you not knowing but if that's not an option: meh...) but anything being discussed inside tends to be cracked down on with extreme prejudice. As long as people inside can't get organized or even become aware of the true scale and nature of things going on, nobody cares how much democratic states might dislike a dictatorship they already despise anyway.

        How sure are you "everybody" inside North Korea also knows all about those horrors (assuming they didn't happen to their neighbour / family), and how many might even dismiss them as subversive rumours and western propaganda, when people's access to information is basically limited to what their state has been telling them all their life (at full volume, day in and day out, because why not) and what they might gossip about with their neighbour (assuming they dare opening their mouths at all in front of someone who might any time be a state informant)...? You will find nothing but "fervently patriotic righteous people*" anywhere you look in a country where it's reasonably well known (or suspected) that anything else may well get you "un-personned".

        *that's what they will be looking like, and you'll never tell how many might be faking it, because those you could tell tend to fail the Darwin test by definition. All you will know for certain is that at least some of them truly do believe most of it...

        1. Anonymous Coward
          Anonymous Coward

          Re: "don't ever visit China or its subsidiaries"

          There's also a huge difference when you all you know are just some written reports from a few anonymous sources, and a few witnesses interviews, and when the full horror and atrocities are shown you directly, broadly, and brutally.

  15. big_D Silver badge
    Black Helicopters

    Burner phone...

    A friend had a visit from government security specialists and one piece of advice was that if you are travelling to such countries, you should use a disposable phone during your stay and just reset it and throw it in the bin at the airport when you fly back home. The same advice was also given for laptops and tablets, just throw them in the bin, when your visit is over.

    You don't know what could have been installed and you can never be certain that it has been successfully removed (UEFI rootkits etc.)

    1. adam 40 Silver badge

      Re: Burner phone...

      That sounds like a massive waste of the planet's resources.

      Why not wipe it, bring it back, and sell it on Fleabay?

      That way whoever is "watching" you, will get completely random input from someone else.

      1. Claptrap314 Silver badge

        Re: Burner phone...

        You underestimate the value of "random" real data.

  16. James 51

    Sounds like a business case for BB10 (or even BB7).

    1. Anonymous Coward
      Anonymous Coward

      Sounds like a business case for BB10 (or even BB7).

      These aren't the (An)droids you're looking for...

    2. Anonymous Coward
      Anonymous Coward

      I looked, and BB Q10s are still selling new for far more than I expected. You may have a point.

      I really liked my Q10 but the banks refused to support it.

      1. James 51
        Gimp

        I really like my Q10 as well. If my infant son hadn't used it as a teething ring and drooled into the microphone it would still be my main phone (was in contract at the time but Vodafone just kept playing support pingpong until the contract ended). The amazon app store still works, that's what I use overdrive on. Some of the websites do come up with your browser is too old message now.

  17. Potemkine! Silver badge

    Never ever make a leisure travel in a dictatorship, it's like giving money for the Wardens.

  18. MJI Silver badge

    How about a Symbian phone?

    Would an old Nokia be safe?

  19. ForthIsNotDead
    Trollface

    I wonder what they'd do when presented...

    ...with my old Nokia 6310i

    1. Mahhn

      Re: I wonder what they'd do when presented...

      they will say "ahh, okay, we already tracking that one"

  20. Anonymous Coward
    Anonymous Coward

    Prison planet

    The term Prison Planet, I used to think it was a joke, or sci-fi movie crap.

    I wonder if it will be illegal to not own a phone soon.

  21. amanfromMars 1 Silver badge

    Whatever next? They? just make it all up for IT and Media, don't they?

    Authorities in a tumultuous region of China are ordering tourists and other visitors to install spyware on their smartphones, it is claimed.

    The New York Times reported today ......

    Say no more, Squire. FUD Gotta Rule.

  22. ConcernedCitizen
    Facepalm

    U.S.Government has DROPOUTJEEP.

    DROPOUTJEEP: "A software implant for the Apple iPhone that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted."[8]

    Between my cell carrier, U.S., and Chinese spyware it's a wonder my phone can still play my games.

  23. atropine blackout

    Plus Ca Change

    Having spent a bit of time in that part of China, I'd have to say that this level of repression is not really new - just different tech / better publicized. At that time (turn of the century), the roads in the area were some of the best in China - and were built *solely* for the benefit of heavy troop movements.

    Even then we used Chinese-made burner phones; cash, rather than credit cards - you get the drift..... maybe still good advice.

    Incidentally, part of the ongoing Han Chinese paranoia towards the Uighurs may stem from the fact that, unlike the Tibetans further South, the Uighurs are not (at all) given to turning the other cheek. In other (completely unreported at the time) news, the PLA and their nastier cousins, the Gong An, came off a decidedly poor second in several small encounters with Uighur groups in the desert West of Urumqi.

    Didn't really help in the long run though, and its hard to see this ending well.

  24. MonsieurTM

    Ha ha serves people right for visiting and givingoney to an oppressive regime... Uh-oh... I live is the UK... Oops...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like