BEIJING -- The Chinese Communist Party appears to have "superuser" access to all the data on more than 100 million cellphones, owing to a back door in a propaganda app that the government has been promoting aggressively this year.
An examination of the code in the app shows it enables authorities to retrieve every message and photo from a user's phone, browse their contacts and internet history, and activate an audio recorder inside the device, according to a U.S.-funded analysis.
"The [Chinese Communist Party] essentially has access to over 100 million users' data," said Sarah Aoun, director of technology at the Open Technology Fund, an initiative funded by the U.S. government under Radio Free Asia. "That's coming from the top of a government that is expanding its surveillance into citizens' day-to-day lives."
The party, led by Xi Jinping, launched the app, called "Study the Great Nation," in January. The name is a pun because the Chinese word for study -- "xuexi" -- contains the authoritarian leader's family name.
The app contains news articles and videos, many of them about Xi's activities or his ideology, "Xi Jinping Thought." There is even a sense of competition, with users earning points for reading articles and commenting on them, and a leader board showing how users are faring in quizzes.
The app, which can be downloaded on all types of smartphones including Apple and Android, has been called Xi's high-tech equivalent of Mao Zedong's Little Red Book and was launched amid a campaign to bolster the Communist Party's ideological control over the Chinese population.
It quickly became the most downloaded app in China, including in Apple's app store in the country, with state media reporting in April that it had more than 100 million registered users. Google is blocked in China, so Android users must download the app through other means.
The Open Tech Fund contracted Cure53, a German cybersecurity firm, to break apart the app and determine its exact capabilities. Although they were not able to fully assess the app's functionalities because of code designed to thwart attempts to dissect the app, the Cure53 auditors found code that amounts to a back door into the phone that is able to run arbitrary commands with "superuser" privileges.
Granting such privileges is tantamount to giving administrator-level access to a user's phone, and this kind of code is generally considered to be malicious. Superuser privileges give developers the power to download any software, modify files and data, or install a program to log key strokes.
"It's very, very uncommon for an application to require that level of access to the device, and there's no reason to have these privileges unless you're doing something you're not supposed to be," said Adam Lynn, the Open Tech Fund's research director.
"The access itself is significant. The fact that they've gone to these lengths [to hide it] only further heightens the scrutiny around this," he said.
The investigation could not reveal how the code or the information it gathered was being used, but there was no legitimate reason a supposedly educational app would seek to run commands on users' phones with high privilege levels, the fund wrote in a commentary about the Cure53 report, which will be published Monday.
A review of the terms and conditions of the app, which was developed by the Communist Party's Propaganda Department in collaboration with the Chinese tech giant Alibaba, shows that users must agree to allow access to a vast trove of information and functions.
This includes allowing the app to access and take photos and videos, transmit the user's location, activate audio recording, dial phone numbers and trawl through the user's contacts and internet activity, as well as retrieve information from 960 other applications including shopping, travel and messaging platforms.
The app collects and sends detailed log reports on a daily basis, containing a wealth of user data and app activity, the investigation found.
The State Council Information Office, responding on behalf of the Propaganda Department, denied the app contained such functions.
"We learned from those who run the 'Study the Great Nation' app that there is no such thing as you have mentioned," the office said in a response to faxed questions outlining the report's main findings.
Alibaba declined to comment, referring questions to the Propaganda Department. It has previously said that the app was built using software from its messaging app, DingTalk.
A spokesman for DingTalk tried to distance the subsidiary from the app.
"DingTalk is an open technology platform, and its suite of technology tools can be used for independent development of other applications and does not have any 'backdoor code' or scanning issues," the spokesman said in a message forwarded by Alibaba.
To use the app, users must sign up with their real names and cellphone numbers, creating a trail since all phones in China must be registered to a national ID card number.
Use of the app in China is not exactly voluntary. The Communist Party has issued directives to its members to download the app, as have many workplaces.
Last month, 60 proficient app users were chosen to come to Beijing and watch a special artistic performance in the Great Hall of People on Tiananmen Square.
Ma Weizhong, the deputy director of Chizhou Environment Bureau in Anhui province, said he felt "blood surging in my heart" when he learned he would be going. "I felt both proud and honored, and a great sense of responsibility," Ma, who started using the app in January, told local media.
Others are not so happy about their workplace-mandated usage sessions, which have become so stringent that some entrepreneurial types have started services where they will log app hours on a customer's behalf.
"Sometimes even when I'm very tired and have put my baby to sleep, I still have to complete my 'Study the Great Nation,' otherwise my pay will be cut," one disgruntled app user wrote on Weibo, the Chinese answer to Twitter. Another complained about having to write a 2,000-word self-criticism because they didn't earn enough points on the app.
Information for this article was contributed by Wang Yuan, Liu Yang, Lyric Li and Greg Bensinger of The Washington Post.
A Section on 10/13/2019
Print Headline: Chinese app a new tool for spying, tech group says