The UK’s National Cyber Security Centre (NCSC) has issued a stark warning over the use of malicious spyware apps that are harvesting sensitive phone data—such as audio, camera feeds, location, and personal messages—potentially for the benefit of Chinese state interests.
According to new guidance released on Wednesday, cyber experts have identified two strains of malware, dubbed MOONSHINE and BADBAZAAR, that are being deployed via a sophisticated technique known as trojanising—where malicious software is hidden inside seemingly legitimate apps. Once installed, the spyware operates covertly, granting attackers access to a wide range of personal information without the user’s knowledge.
The NCSC says these tools are being used to target Uighur, Tibetan and Taiwanese individuals globally—communities often considered politically sensitive by the Chinese government. The spyware, they warn, is capable of enabling surveillance and even harassment by tracking real-time activities through a user’s device.
The report, published in partnership with cyber security agencies from Australia, Canada, Germany, New Zealand and the United States, urges users—particularly those from vulnerable communities—to be vigilant and adopt simple digital hygiene practices.
In a joint advisory, the agencies stated:
“Although BADBAZAAR and MOONSHINE have been observed targeting Uighur, Tibetan and Taiwanese individuals, there are other malware strains likely targeting minority groups both within China and abroad. Individuals perceived to be supporting causes that threaten regime stability are almost certainly under threat from mobile malware.”
Among the spyware’s most concerning features is its ability to activate phone microphones and cameras, read encrypted messages, extract photos, and track a user’s exact location—all without raising suspicion.
Some of the malicious apps are disguised as culturally specific tools, such as “Tibet One” or “Audio Quran”, tailored to appeal to specific user groups. Others imitate widely-used communication platforms like WhatsApp or Skype to boost their legitimacy.
The NCSC has outlined four essential steps to help individuals safeguard their devices:
- Stay mainstream – Only install apps from trusted, official app stores such as Google Play or Apple’s App Store.
- Stay organised – Regularly review installed apps and check the permissions granted to each one.
- Stay in touch – Report suspicious files, apps or links to relevant cyber security bodies.
- Stay safe – Remain cautious when opening shared files or clicking on unfamiliar links.
The guidance highlights how spyware tools like BADBAZAAR and MOONSHINE are more than just threats to individual privacy—they serve as instruments of international surveillance, capable of monitoring dissent and curtailing freedom of expression.
“These tools almost certainly provide the opportunity to inform future surveillance and harassment operations,” the advisory said. “They enable access to intimate details of a person’s life and movements, which could be used in coercive or politically motivated ways.”
More Read
Civil society groups and diaspora communities are also being swept up in the surveillance net, the NCSC noted, reinforcing long-standing concerns about foreign interference and the extension of authoritarian tactics beyond national borders.
This latest joint advisory follows a series of international moves to counter state-linked cyber espionage. It represents a renewed push to empower individuals, particularly those at risk, to take proactive steps in securing their digital environments.
Experts warn that, given the ever-evolving landscape of mobile malware, ongoing vigilance is essential.
The NCSC said it would continue to monitor the threat closely and collaborate with international partners to raise awareness and share intelligence. For users concerned about potential spyware on their devices, the advice is clear: review apps, monitor for unusual behaviour, and seek support if anything appears amiss.
