Foreigners crossing certain Chinese borders into the Xinjiang region, where authorities are conducting a massive campaign of surveillance and oppression against the local Muslim population, are being forced to install a piece of malware on their phones that gives all of their text messages as well as other pieces of data to the authorities, a collaboration by Motherboard, Süddeutsche Zeitung, the Guardian, the New York Times, and the German public broadcaster NDR has found.

"[This app] provides yet another source of evidence showing how pervasive mass surveillance is being carried out in Xinjiang. We already know that Xinjiang residents—particularly Turkic Muslims—are subjected to round-the-clock and multidimensional surveillance in the region," Maya Wang, China senior researcher at Human Rights Watch, said. "What you’ve found goes beyond that: it suggests that even foreigners are subjected to such mass, and unlawful surveillance."

In no way is the downloading of tourists’ text messages and other mobile phone data comparable to the treatment of the Uighur population in Xinjiang, who live under the constant gaze of facial recognition systems , CCTV, and physical searches. Last week, VICE News published an undercover documentary detailing some of the human rights abuses and surveillance against the Uighur population. But the malware news shows that the Chinese government’s aggressive style of policing and surveillance in the Xinjiang region has extended to foreigners, too.

The Android malware, which is installed by a border guard when they physically seize the phone, also scans the tourist or traveller's device for a specific set of files, according to multiple expert analyses of the software. The files authorities are looking for include Islamic extremist content, but also innocuous Islamic material, academic books on Islam by leading researchers, and even music from a Japanese metal band.

One tourist who crossed the border and had the malware installed on their device provided a copy to Süddeutsche Zeitung and Motherboard. A member of the reporting team from Süddeutsche Zeitung then also crossed the border and had the same malware installed on their own phone.

Motherboard has uploaded a copy of the Android app to our GitHub account. You can download the Android file here.

At the border crossing from Kyrgyzstan into China, surrounded by desolate, mountainous peaks, border authorities take travelers' phones to be searched and install the malware, called BXAQ or Fengcai. Those crossing the border entered a clean, sterile environment to be searched, and in all, the process of getting through several stages of scrutiny and security takes around half a day, one of the travelers said.

Together with the Guardian and the New York Times, the reporting team commissioned several technical analyses of the app. Penetration testing firm Cure53 on behalf of the Open Technology Fund, researchers at Citizen Lab from the University of Toronto, and researchers from the Ruhr University Bochum as well as the Guardian itself all provided insights about BXAQ. The app's code also includes names such as "CellHunter" and "MobileHunter."

Once installed on an Android phone, by "side-loading" its installation and requesting certain permissions rather than downloading it from the Google Play Store, BXAQ collects all of the phone's calendar entries, phone contacts, call logs, and text messages and uploads them to a server, according to expert analysis. The malware also scans the phone to see which apps are installed, and extracts the subject’s usernames for some installed apps. (Update: after the publication of this piece, multiple antivirus firms updated their products to flag the app as malware).

Do you know any other cases of government malware? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

The app does not try to hide itself. Instead, it displays an icon on the device's app select screen, suggesting that it is designed to be removed from the phone after use by the authorities.