Computer security researchers at Ruhr-Universität Bochum (RUB), in collaboration with the association of investigative journalists from NDR and Süddeutsche Zeitung (SZ), have analysed how the Chinese surveillance app works that travellers must have installed on their phones when crossing the border from Kyrgyzstan to China. The researchers have unearthed that the app scans the phone for approximately 73,000 specific files. Moreover, it compiles a report for the border officials, including for example the most recent phone activities, contacts, SMS, and social media accounts. The researchers published their findings online at https://dwuid.com/content/analyzing-mobilehunter. In the media, the investigation results were reported on 2 July 2019.
An SZ reader had informed the newspaper of the procedure where travellers have to hand over their unlocked phone to a border official for the purpose of installing the app. Subsequently, the media houses started investigating the issue and consulted Professor Thorsten Holz. The Head of the Chair for Systems Security at RUB’s Horst Görtz Institute for IT Security and one of the speakers of the CASA Cluster of Excellence (short for Cyber Security in the Age of Large-Scale Adversaries) is an expert for software application analysis.
Together with his PhD researcher Moritz Contag, he analysed both the actual app and more specifically two of the app’s helper programs that were available only in machine code format, i.e. ones and zeros. The code can be run by a processor, but is unreadable to humans.
Report on social media accounts and phone activities
The analysed Android app compiles a report containing information such as phone contacts, sent SMS messages and the recent call log, including the mobile station with which the phone was connected. With the aid of the first helper program, the app finds out which Chinese social media apps are installed on the phone and which accounts are linked with them.
The second helper program scans the phone for specific files. To this end, it contains a list of 73,315 so-called checksums. They are typically used to verify data integrity, pretty much like a digital fingerprint. If, for example, a user downloads a file from the Internet, the relevant checksum is typically also available. Following the download, the computer or the mobile device can calculate the checksum of the downloaded file and match it against the expected checksum. If the file was corrupted during download, the calculated and the expected checksums don’t match. File integrity is verified if both sums are the same.
Search for specific videos
Accordingly, the checksum constitutes a digital fingerprint of each file, i.e. each video, each text and audio file. The app calculates the checksums for all files available on the phone and matches them against an existing list. “However, it’s not possible to deduce the file’s content from the checksum,” explains Thorsten Holz. In the subroutine, the researchers from Bochum found another information in addition to the checksums, namely the file size.
Using these parameters, the RUB team identified more than 1,300 files and shared them with the NDR, WDR and SZ investigative team. Based on these and other sources, more than 2,000 files were reconstructed that were subsequently analysed in detail by the investigative team together with colleagues from The Guardian and The New York Times. Those included video and audio files containing Islamist propaganda, but also a document about the Dalai Lama and rock music by a Japanese band.
“The app is a surveillance tool used to scan mobile phones for specific information at the border – very fast and very efficiently,” concludes Thorsten Holz.
For press inquiries, please contact the press team of the Horst Görtz Institute for IT Security at hgi-presse@rub.de.
Links to publications in the media:
Original press release at RUB Newsportal
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.