An app called Beijing One Pass, which foreign companies in China are required to use, has been discovered to contain spyware-like features. For now, it is not clear if the features were added to the app purposely. But the fact is undeniable that the app has spyware capabilities and can secretly install itself on a target system.
This was discovered by Insikt Group, a subdivision of a cybersecurity company Recorded Future, last month. Their team has analyzed the app provided by a customer.
The Insikt team discovered several suspicious features in the app that a benefits app should not have. Some of these included features that are usually found in malware, such as:
- Disabling of security and backup services on the host device
- Capturing and retrieving keystrokes
- Recording screenshots
- Reading data from the clipboard
- Attempt to read, create, or modify system registry ROOT certificates
- Check periodically for human interaction with the OS when the file is run
- Allow-listing domains for ActiveX use, which would allow it to connect to external internet resources
- The ability to run at Windows startup to ensure persistence
The suspicious app was developed by the Beijing Bureau of Certificate Administration (BJCA), a government-owned company that provides certificate authority services in China.
It is not clear if the features were added by hackers who compromised the app development process, or if they were added by the agency on purpose.
While their origin is unclear, the presence of spyware features inside the app is undeniable, researchers said.
Companies in China are forced to install it if they want to operate in the country. Therefore, in order to prevent sensitive corporate information from getting leaked, the Insikt Group has advised companies to only run the app on systems that do not store such sensitive data.
Previously, in a similar case discovered by Trustwave Labs in June 2020, a Chinese bank forced foreign companies to install a backdoored app in order to file their taxes.