A popular Communist Party propaganda app could give Chinese government officials “superuser” access to any Android device on which the program has been downloaded, essentially providing access to all user files, new research has found.
Why it matters: The app, Xuexi Qiangguo, which roughly translates to “Study the Powerful Nation,” has garnered a massive following since it was released earlier this year.
- Shortly after its release, state media claimed the app had 100 million registered users.
- Chinese e-commerce giant Alibaba is reportedly the the app’s developer.
- The app allows users to read government news, watch short videos documenting Party theories, and take quizzes on Communist Party ideology.
“[The app] boasts technical capabilities that go well beyond what it purports to do, and maintains a level of access that no app would normally have over a user’s device.”
Details: Xuexi Qiangguo gives the government access to all of a smartphone user’s files and provides the ability to run commands on the device, including modifying files and installing software to log keystrokes, the researchers said.
- The study was conducted by the Open Technology’s Fund’s Red Team Lab and German cybersecurity firm Cure53.
- Xuexi Qiangguo actively scans for other applications on the phone and draws from a list of nearly 1,000 apps, including WhatsApp, Facebook Messenger, and Uber, among others.
- The app also collects detailed information including location, app usage, connection information, and data that identifies an individual device.
- The researchers said that the collected information is relayed to a server on a daily basis, while encryption is intentionally weakened, with weak cryptographic algorithms being used in areas that contain biometric and email data.
- It is unclear to what extent the superuser privileges are being exploited, the researchers said.
Context: The app was first released in January and rose to the top of Apple’s China App Store shortly after.
- Government employees are reportedly required to use the app regularly, but supervision on its use varies heavily between provinces and government departments.
- Nevertheless, some party members have found ways to cheat the system, leaving the app open during the day to increase their perceived usage. Meanwhile, others use software that automates usage in the app to appear as if it is being used regularly.