"Operation Honey Bee”: Bochum researchers analyse Chinese surveillance apparatus

In cooperation with investigative journalists of the Süddeutsche Zeitung and the NDR, Prof. Dr. Thorsten Holz and doctoral student Moritz Contag have clarified the technical details behind "Operation Honey Bee"...

Copyright: RUB, Mareen Meyer

In cooperation with investigative journalists of the Süddeutsche Zeitung and the NDR, Prof. Dr. Thorsten Holz and doctoral student Moritz Contag have clarified the technical details behind "Operation Honey Bee".


IT security researchers from the Ruhr University Bochum (RUB), together with the research association of NDR, WDR and Süddeutscher Zeitung (SZ), have analysed how a Chinese surveillance app works that intruders have to have installed on their mobile phones when crossing the border from Kyrgyzstan to China. The New York Times and the British Guardian also published the results of the research. The scientists found out that the app searches the mobile phone for about 73,000 specific files. Furthermore, the app creates a report for the border official, which contains the latest telephone activities, contacts, SMS messages and social media accounts used. The scientists published their results online at The media reported on the research results on 2 July 2019.


A reader of the SZ had drawn the newspaper's attention to the procedure in which immigrants had to hand over their unlocked mobile phone to a border official for the installation of the app. The media houses then took up the research and called on the expertise of Prof. Dr. Thorsten Holz. The head of the Chair for System Security at the RUB, one of the speakers of the Casa Cluster of Excellence - short for cyber security in the age of large-scale attackers - is an expert in the analysis of software applications.


Together with his doctoral student Moritz Contag, he investigated both the actual app and two subprograms of the app, which were only available as machine code of zeros and ones. This code can be executed directly by the processor, but is not comprehensible to humans.



Report on social media accounts and phone activity


The analyzed Android app creates a report containing information such as contacts stored in the phone, SMS messages sent and a list of recent call activity including the radio station to which the phone was connected. The first subroutine collects information about which Chinese social media apps are installed on the phone and which accounts are connected to them.


The second subroutine scans the phone for specific files. It contains a list of 73,315 so-called checksums. These are usually used to ensure the integrity of files; they are a kind of digital fingerprint. For example, if you download a file from the Internet, a matching checksum is often given. Once the download is complete, the computer or mobile device can calculate the checksum of the downloaded file and compare it with the expected checksum. If the file is damaged during the download, the calculated and expected checksums do not match. If the two values are the same, it is ensured that the file is unchanged.



Searching for specific videos


Every file, i.e. every video, every text or audio file, has its own digital fingerprint in the checksum. The app calculates the checksums for all files available on the mobile phone and compares them with a stored list. "From the checksums, however, you cannot directly deduce the content of the file," explains Thorsten Holz. In the subroutine of the app, the Bochum researchers found a second piece of information in addition to the checksums for each file, namely the file size.


Using these parameters, the RUB team was able to identify more than 1,300 files and make them available to the NDR, WDR and SZ research teams. Together with other sources, a total of more than 2,000 files could be reconstructed, which the research team then examined in detail together with colleagues from the Guardian and the New York Times. These included videos and audio files with Islamic propaganda, but also a document on the Dalai Lama or a rock song by a Japanese band.


"The app is a surveillance tool that can be used to search the mobile phone at the border very quickly and efficiently for specific information," concludes Thorsten Holz.


General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.