Spyware-like features found in China app Bejing One Pass

Sicherheit (Pexels, allgemeine Nutzung)[German]Foreign companies operating in China need the Beijing One Pass app, to access a digital platform for managing government employee benefits. Now security specialists have found spyware-like features in this app and made that known.


I already came across the following tweet a few days ago with relevant references. Catalin Cimpanu published the details in this post on The Record. 

Spyware in China-App Bejing One Pass

The spying feature was found last month by security researchers at Insikt Group, who published the whole thing in this blog post.

Customer reports a suspicion

A Recorded Future customer informed Insikt Group of a possible security incident triggered by a software application called "Beijing One Pass." This Chinese government-backed application provides access to government benefits information and was downloaded by Recorded Future customer employees after they were informed that the information would no longer be available in paper form.

Spyware-ähnliche Funktionen

A scan of the software revealed that it is associated with Beijing Certificate Authority, a Chinese state-owned enterprise (BJCA, www.bjca[.]cn). The security researchers found some notable suspicious behaviors related to several dropped files and processes launched from the main application. These suspicious behaviors include a persistence mechanism, collecting user data such as screenshots and keystrokes, a backdoor functionality, and other behaviors such as disabling security and backup services. These behaviors are commonly associated with malicious tools.


While security researchers are not sure if it is really spyware in Beijing One Pass software. But the presence of the spyware-like features mentioned above makes suspicious. It could be evidence of a deliberate attempt to gain access to devices (e.g., in support of China's cybersecurity law that allows security organizations to remotely inspect corporate networks), the result of lax security practices by certificate authorities (CAs) and developers, or features designed to comply with Chinese laws and regulations.

Whatever the motive, installing such software on devices that have access to sensitive data is discouraged. Recorded Future recommends that companies with employees based in China who need to access government benefits information using the "One Pass" software not use it on devices that have access to sensitive company data. More details and a more in-depth analysis can be found in this blog post.

Similar articles:
German BKA and FBI warns of China espionage by GoldenSpy
China and the spyware in software products
The Chinese RSA Hack from 2011

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *