When traveling into China through the northwest border, border patrol may install a new spyware app called Fengcai or BXAQ on your phone. Some users have reported that the app was installed on their phone when stopped by police as well. Like the MFsocket app that Chinese police install on your cellphone in Beijing and Shanghai, this app appears to pull data from your phone and search for flagged files.
The app gathers private information from the phone including contacts, SMS messages, call logs, calendars and more according the research done by Cure53. Once gathered it tries to match your data to one of 73,000 items that’s listed. We suspect that if the app finds something then your data gets sent to their server, but it could be sending data from the phone to their server no matter what it finds. The app doesn’t appear to keep your data safe as well. Researchers found this app likely passes data in an unencrypted ZIP file over HTTP not HTTPS, leaving it open to man-in-the-middle attacks.
While I understand why China does this on its borders, they certainly have gone too far by requiring spyware apps to be installed when living inside some areas of China. In any case, having an app that indiscriminately saves data and sends it over unsecured connections makes me quite uneasy about having it installed. In addition, we don’t really know the full extent of what the app can do and given the reputation from previous apps that police force you to install, I might not bring my personal phone if traveling through China. As with MFSocket, we recommend leaving your personal cellphone at home when traveling through this part of China.
This article from China Digital Times contains more details on China’s trend of forcibly install spyware on users’ cellphones.