12:00am, 9 April 2025
TLP Rating:
MOONSHINE and BADBAZAAR spyware targeting communities and groups
What’s happening
Systems affected:
The malicious software — known as MOONSHINE and BADBAZAAR — hides malicious functions inside otherwise legitimate apps. This technique is called ‘trojanising’.
What this means:
Spyware is a type of malicious software (malware) that collects information from a device without a user’s consent. It can capture keystrokes, screenshots, login credentials, email addresses, and other personal information.
What to look for
How to tell if you are at risk
The advisories warn that these apps target individuals around the world who are connected to topics the Chinese state views as threats to its stability. Some are designed to imitate popular apps or appeal directly to the people they target.
What to do
Prevention
To help keep users safe, the advisories include guidance for app store operators, developers, and social media platforms.
Individuals at risk are strongly encouraged to follow this advice to protect their devices and personal information.
The NCSC has resources and advice on Own Your Online to help individuals and businesses secure their devices and accounts. Be cautious when downloading any app.
If you’ve experienced a cyber security incident, you can report it to the NCSC.
Download the advisories
Technical analysis and mitigations | NCSC-UK External Link
Four tips to stay secure on your smartphone | NCSC-UK External Link
More Information
These advisories have been jointly published by the:
- NCSC-UK,
- Australian Signals Directorate’s Australian Cyber Security Centre (ACSC),
- Canadian Centre for Cyber Security (CCCS),
- German Federal Intelligence Service (BND),
- German Federal Office for the Protection of the Constitution (BfV),
- United States Federal Bureau of Investigation (FBI), and
- United States National Security Agency (NSA).