BEIJING – The Chinese Communist Party appears to have “superuser” access to all the data on more than 100 million cellphones, owing to a back door in a propaganda app that the government has been promoting aggressively this year.
An examination of the code in the app shows it enables authorities to retrieve every message and photo from a user’s phone, browse their contacts and internet history, and activate an audio recorder inside the device, according to a U.S.-funded analysis.
“The Chinese Communist Party essentially has access to over 100 million users’ data,” said Sarah Aoun, director of technology at the Open Technology Fund, an initiative funded by the U.S. government under Radio Free Asia. “That’s coming from the top of a government that is expanding its surveillance into citizens’ day-to-day lives.”
The party, led by Xi Jinping, started the app, called “Study the Great Nation,” in January. The name is a pun because the Chinese word for study — “xuexi” — contains the authoritarian leader’s family name.
The app contains news articles and videos, many of them about Xi’s activities or his ideology, “Xi Jinping Thought.” There is even a sense of competition, with users earning points for reading articles and commenting on them, and a leaderboard showing how users are faring in quizzes.
The app, which can be downloaded on all types of smartphones including Apple and Android, has been called Xi’s high-tech equivalent of Mao’s Little Red Book and was launched amid a campaign to bolster the Communist Party’s ideological control over the Chinese population.
It quickly became the most downloaded app in China, including in Apple’s app store in the country, with state media reporting in April that it had more than 100 million registered users. Google is blocked in China, so Android users must download the app through other means.
There have been suspicions about the app’s invasiveness — although many people in China are conscious that the authorities can read their messages if they want to. A cybersecurity law enacted two years ago required all tech companies to share user data with the government.
Breaking open the app
The Open Tech Fund contracted Cure53, a German cybersecurity firm, to break apart the app and determine its exact capabilities. Although they were not able to fully assess the app’s functionalities because of code designed to thwart attempts to dissect the app, the Cure53 auditors found code that amounts to a back door into the phone that is able to run arbitrary commands with “superuser” privileges.
Granting such privileges is tantamount to giving administrator access to a user’s phone, and this kind of code is generally considered to be malicious. Superuser privileges give developers the power to download any software, modify files and data, or install a program to log key strokes.
“It’s very, very uncommon for an application to require that level of access to the device, and there’s no reason to have these privileges unless you’re doing something you’re not supposed to be,” said Adam Lynn, of the Open Tech Fund.
“The access itself is significant. The fact that they’ve gone to these lengths to hide it only further heightens the scrutiny around this,” he said.
The investigation could not reveal how the code or the information it gathered was being used, but there was no legitimate reason a supposedly educational app would seek to run commands on users’ phones with high privilege levels, the fund wrote in a commentary about the Cure53 report, which will be published Monday.
A review of the terms and conditions of the app, which was developed by the Communist Party’s Propaganda Department in collaboration with the Chinese tech giant Alibaba, show that users must agree to allow access to a vast trove of information and functions.
This includes allowing the app to access and take photos and videos, transmit the user’s location, activate audio recording, dial numbers and trawl through the contacts and internet activity, as well as retrieve information from 960 other applications including shopping, travel and messaging platforms. It even requires the ability to connect to Wi-Fi and turn on the flashlight.
“It can take over the entire device, and it could be sending back information,” said Lynn.
The app collects and sends detailed log reports on a daily basis, containing a wealth of user data and app activity, the investigation found.
The State Council Information Office denied the app contained such functions.