In China’s Xinjiang province, where the Turkish Uyghur population is a majority, is also where the Chinese government has some of its strictest, most wide-ranging, and absolutely privacy-invading surveillance activities. Earlier this year in May, the Human Rights Watch had exposed how police in Xinjiang used a smartphone app to monitor (and oppress) its people. The app monitors everything, from flagging use of banned apps such as WhatsApp, to gaining access to contacts, text messages, and almost everything else on a user’s smartphone – this data would then be used by the police to decide which individuals to question or detain.

However, a new investigation carried out by Motherboard, The Guardian, the New York Times, and others, has now revealed that smartphone surveillance in Xinjiang is imposed on tourists as well. According to the report, foreigners crossing into Xinjiang are “forced to install a piece of malware on their phones that gives all of their text messages as well as other pieces of data to the authorities.”

The malware, named Feng Cai or BXAQ, scans the target device’s files against a huge target list of over 70,000 files, including things like Islamic extremist content, and even things like installed copies of the Quran, “innocuous Islamic material, academic books on Islam by leading researchers, and even music from a Japanese metal band.”

Motherboard’s report provides more insight into the analysis of the app, and its workings:

“Penetration testing firm Cure53 on behalf of the Open Technology Fund, researchers at Citizen Lab from the University of Toronto, and researchers from the Ruhr University Bochum as well as the Guardian itself all provided insights about BXAQ. The app’s code also includes names such as “CellHunter” and “MobileHunter.”

Once installed on an Android phone, by “side-loading” its installation and requesting certain permissions rather than downloading it from the Google Play Store, BXAQ collects all of the phone’s calendar entries, phone contacts, call logs, and text messages and uploads them to a server, according to expert analysis. The malware also scans the phone to see which apps are installed, and extracts the subject’s usernames for some installed apps.”

The reports also point out that while invasive, the BXAQ or Feng Cai malware is nowhere near the level of surveillance and oppression that the local population in Xinjiang lives under. The majority Uyghur population in Xinjiang is constantly under CCTV surveillance, and the IJOP (Integrated Joint Operations Platform) app that’s installed on the locals’ phones, labels many seemingly harmless actions as suspicious, including things like “not socializing with neighbors.”

China has repeatedly claimed that its actions in Xinjiang are internal affairs and the international community shouldn’t try to interfere with however China handles its “counter-terrorism” efforts within its borders. These reports just go to show how China is carrying out mass surveillance under the guise of counter-terrorism, and not just on its locals, but even tourists and foreigners visiting the country are subjected to such invasive surveillance activities.