Spoofed Apps and Mobile Spyware: A Hidden Threat to the Tibetan Community

Tibetan communities are once again the target of dangerous digital surveillance. A recent joint report by the UK’s National Cyber Security Centre (NCSC), along with cybersecurity agencies from the US, Canada, Germany, Australia, and New Zealand, has confirmed the use of powerful spyware tools—BADBAZAAR and MOONSHINE—that are being spread through spoofed mobile apps. These apps look harmless—some even familiar—but they’ve been tampered with to secretly spy on your phone.

These two mobile spyware campaigns have been active for several years. MOONSHINE was first exposed in 2019 by Citizen Lab, which reported that it targeted Tibetan groups through malicious Android apps shared via messaging platforms like Telegram and WhatsApp. BADBAZAAR, meanwhile, came to light in 2022 through Lookout research and was later tied to broader campaigns targeting Uyghurs, Tibetans, and Taiwanese users. Both tools have continued to evolve, incorporating more sophisticated surveillance features and spreading through increasingly convincing spoofed apps.

These malicious apps are designed to resemble useful tools: Tibetan prayer apps, dictionaries, calendar apps, and even popular messengers like Signal, Telegram, WhatsApp and Zom Messenger. But behind the scenes, they can access your messages, track your location, record your voice, and capture your screen—all without your knowledge. Once installed, they open a silent channel for surveillance, targeting people simply for who they are and what they believe.

Category	App Name	Logo
Utility Apps	Tibetan Prayer	
	Singing Bowl Sound HD	
	Tibetan Divination System Mo	
	藏历基本数据 (Tibetan Calendrical Data)	
	汉藏英辞典 (Chinese-Tibetan-English Dictionary)	
	阳光藏汉翻译 (Sunshine Tibetan-Chinese Translation)	
Messaging Apps	Signal Plus	
	Zom	
	Telegram X	
	WhatsApp 3 Plus	

Test

Some of these apps have been shared in Tibetan chat groups or posted on trusted social media pages. Others are downloaded outside official app stores and installed manually on Android phones—a process known as sideloading. This method bypasses the security checks of the Google Play Store, making it much easier for attackers to hide spyware inside app files. Installing apps this way significantly increases the risk of exposing your device to surveillance and data theft.

Spoofed apps often contain subtle differences from the originals. The name might be slightly misspelled, like “Tibetan Paryer” instead of “Tibetan Prayer”, or the app icon might look fuzzy or poorly made. Even more concerning, these apps can ask for permissions that don’t make sense—like a calendar app requesting access to your microphone or location.

Before installing any app, especially on Android devices, take time to check if it could be spoofed. 

1. Start by reviewing the developer’s name — trusted Tibetan apps, such as Tibetan Prayer, are published by verified organizations like the Tibetan Computer Resource Centre (TCRC). If the developer listed in the app store or on the app’s page doesn’t match the known source, it may be spoofed. Look carefully at the app’s name and icon. 
2. Spoofed versions often contain subtle changes, like misspellings (e.g., “Tibetan Paryer”) or a blurry, altered logo. 
3. Permissions are another key indicator — apps should only request access that’s relevant to their function. For example, a Tibetan calendar app shouldn’t need access to your microphone or location. 
4. Scan the APK file. If you’re downloading the app from outside an official store, upload the file to VirusTotal.com to check for known malware. If you’re unsure how to do this or want help scanning your device for spyware, you can reach out to TibCERT for support — we’re here to help.
5. Use advanced tools if available. Tech-savvy users can run the Mobile Verification Toolkit (MVT) to detect spyware activity on their phone.

If you discover or suspect that you’ve installed a spoofed app, act quickly. 

1. Disconnect your device from both Wi-Fi and mobile data to prevent any further data from being sent. 
2. Uninstall the app immediately. 
3. Back up any important personal data that you trust to be clean. 
4. To fully remove any hidden spyware, consider resetting your device to factory settings.
5. Reach out for help. Contact TibCERT for support:

These attacks are part of a broader pattern of digital repression aimed at silencing and monitoring marginalized communities. But we are not powerless. By staying alert, verifying apps before installing them, and supporting one another, we can limit the reach of these threats. Your phone holds your voice — protect it.

Click Here to Download the Advisory