China Change

Home » Reports » What to Make of the Explosive New WeChat and QQ Spying Revelations?

What to Make of the Explosive New WeChat and QQ Spying Revelations?

Safeguard Defenders, September 10, 2017


saveguard defenders _ a project by


A new report by a Lookout, a Cybersecurity company, has generated renewed interest in the security, or lack thereof, of WeChat and QQ ( Despite this, there has been limited attention paid to this explosive new revelation.

It has long been known that due to WeChat keeping its servers inside China, the lack of legal protection of privacy data, and the control over companies by police, that WeChat data is not safe, and can, without protection, be accessed by police or other state actors more or less at will. This has naturally made people shy away from using WeChat for any more serious or political discussions. More and more court cases of people being prosecuted simply based on private chat messages to friends have further illustration this. At the same time, at the time of the Occupy Central movement in Hong Kong, it was shown that a ‘Trojan’ virus was being employed to surveil users remotely.

xRAT. That’s the name of the new discovery. Like the earlier virus found, it’s a ‘Trojan’ virus, meaning it masks itself as something else, for example a PDF file, and you will be unaware of if you have it on your phone by now. It specifically targets you through your WeChat or QQ account.

So what’s the big deal?

The ‘Trojan’ operates with administrator privileges. It means it can access and control any and all aspects of your phone. It also means it can do so without you noticing. In fact, it can remotely get ‘full control’. If you want to understand what this means it is this: it has as much access to your phone as if you were to give it to someone, and then tell them your PIN code. Full control.

This means that not only your WeChat or QQ use is exposed. All of your phone is exposed. Photos stored, downloads, documents, any Apps to other services installed, chat logs, phone records, contact lists, and of course, your browser and its entire browsing history, which may include credit card and password and login information to other service, for example encrypted emailing you use.

In short, any phone that has WeChat on it, and is also used to access work emails, or secure chat programs like Telegram or Signal, can now be in the hands of Chinese police or state security. For the community of supporters of human rights in China it moves from bad to terrible. You can now, if you communicate with human rights defenders in China through secure Apps or emailing on a phone that has WeChat or QQ installed, inadvertently be giving the Chinese police material that will incriminate those human rights defenders and land them in prison.

To make matters worse, administrator privilege means you microphone can be turned on, and stream whatever is heard to the Chinese police. Same with video camera and camera. It is a most sophisticated spying tool with far-reaching consequences. It can, it goes without saying, read you location, as well as the specific meta-data of your phone.

If that wasn’t enough, there is one last thing, which makes it such a sophisticated virus. It can auto destruct itself. And when doing so, it can not only delete itself from your phone, but wipe much of your phone log data, making it hard even for technically skilled people to know that the virus was ever there. In short, you might never know if your phone, your use, is the reason someone has landed in prison.

A number of control centers in China has been identified to where such data and traffic goes. The code is such that there is little doubt that this ‘Trojan’ comes from the same people behind the earlier ‘Trojan’ targeting Hong Kong Occupy Central people, just much more sophisticated.

Should I worry? What to do?

First off, there is still some lack of understanding how the infection spreads to your phone. At the same time, there is little reason to think resources would be spent to develop such a tool, and then not try to use it. An earlier, much less sophisticated version, was used extensively during the Occupy Central movement. Why would the police and state security organs not use a tool if it’s already been developed, and if it’s this powerful? It should go without saying that you need to operate as if it’s being used widely, and as if you were a target.

Most people with risk awareness will already have made sure to not use WeChat or QQ, or if they felt a strong need to have it, have it installed on a second phone which is not used for anything else. If you need WeChat, like many unfortunately feel they do, at the very least, install it on a blank, factory-reset second phone, like a super cheap android phone. Due to microphone remote control, make sure to never have it in your office or at any discussions.

Secondly, your current phone, if infected, will not be secure just by uninstalling WeChat and QQ. You will have no choice but to do a factory reset. This may be an inconvenience, but it is the only way. It goes without saying that any existing PIN codes, passwords to work emails, etc., will need be changed after you have done this factory reset.


From the editors:

Since this post was launched, we have heard several complaints such as this one: “the article misrepresents the malware report, which does not mention WeChat or QQ as delivery method, but instead as targeted data.” It is true that the threat is posed by a ‘Trojan’ virus, an external program designed to utilize weaknesses through WeChat and QQ. The vulnerability begins when the xRAT “Trojan” has infected your phone, and the “Trojan” aims at infecting those using WeChat or QQ. The WeChat and QQ programs themselves do not contain the “Trojan.” The silent mode in which it can operate nonetheless makes it hard to know if your phone has been infected. The mode of infection, for example through having downloaded and opened a PDF or other type of file, continues to be studied and the mode of infection is not yet clear.






微信的服务器在中国大陆,那里缺少对私人数据的法律保障,公司处于公安的控制下,所以微信的数据没有安全保障,随时可以被警方或其他政府部门监控以及浏览。这是早已为人所知的事实。因此很多人在进行政治或比较严肃的讨论时都不再使用微信。在越来越多的法庭案件中,一个人被起诉仅仅是基于和朋友的私密聊天记录,这也证实了微信是不安全的。与此同时,在香港占中运动期间,一种 “特洛伊”木马病毒被用来远程监视用户。









我应该担心吗? 我该怎么做?









  1. Kk says:

    iPhone 手机也会被控制吗?

  2. […] What to Make of the Explosive New WeChat and QQ Spying Revelations? […]

  3. Markus says:

    Everybody using a mobile phone should know that the phone is constantly spying on you, it’s what it’s designed for.
    You will need to make a choice of security & privacy and convenience.

  4. ify says:


  5. […] 来源: What to Make of the Explosive New WeChat and QQ Spying Revelations? […]

  6. Tom says:

    1、iphone 会不会感染这个木马?

  7. […] What to Make of the Explosive New WeChat and QQ Spying Revelations? September 10, 2017 […]

  8. teddy esguerra says:

    my wechat i.d was block last night..wechat team mesage me on what to do.i ask a friend who has wechat for more than 6 months to let her phone number registered to wechat for him to be able to confirm that my account is authentic..minutes later her account was already blocked too…WTF is this…can wechat do something about this?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s