Cybersecurity researchers say they have found evidence of Chinese spyware in Uighur-language apps that can track the location and harvest the data of Uighurs living in China and abroad.
Uighurs are a Turkic Muslim minority predominantly in China's northwestern region of Xinjiang, where a recent United Nations (UN) report said Beijing may have committed crimes against humanity.
The United States and lawmakers in other Western countries say China's treatment of the Uighurs amounts to genocide.
Since 2018, multiple Uighur-language Android apps have been found to be infected with two strains of spyware linked to Chinese state-backed hacker groups, according to a November 10 report by San Francisco-based cybersecurity firm Lookout.
They include dictionaries, religious apps, maps and even pirated versions of WhatsApp available on third-party stores or shared on Uighur-language channels on Telegram.
They were not available on the official Google Play store, which is blocked in China, leading Chinese users to use third-party app stores.
The spyware enabled hackers to collect sensitive data including a user's location, contacts, call logs, text messages and files, the report said, and could also take photos and record calls.
Researchers said the apps could have been used to detect evidence of religious extremism or separatism, for which Uighurs have been imprisoned, some for decades, as part of a sweeping anti-terrorism crackdown in Xinjiang that observers say amounts to a mass detention campaign.
Large Uighur diaspora populations also live in Central Asia and Turkey.
"The campaign appears to primarily target Uighurs in China. However, we found evidence of broader targeting of Muslims and Uighurs outside of Xinjiang," the report said.
"Several of the samples we analysed masqueraded as mapping apps for other countries with significant Muslim populations, like Turkey or Afghanistan."
For years, China has engaged in mass monitoring of Uighurs in Xinjiang, creating a province-wide surveillance platform that vacuums Uighurs' personal data from their phones and tracks their movements through facial recognition.
Several Chinese surveillance and camera firms have been sanctioned by the United States for alleged complicity in human rights violations.
Uighurs living abroad have spoken of attempts at cross-border surveillance and coercion from Chinese police back in Xinjiang.
Samples of the infected apps were dated from 2018 onwards, and the vast majority of apps infected with one strain of spyware were discovered in the second half of this year, the report said.
"Despite growing international pressure, Chinese threat actors operating on behalf of the Chinese state are likely to continue to distribute surveillanceware targeting Uighur and Muslim mobile device users through Uighur-language communications platforms," Lookout researchers wrote.
In August, a long-awaited UN report was published, detailing a string of violations of the rights of Uighurs and other Muslim minorities in the far-western region, and bringing the UN seal to many of the allegations long brought by activist groups, Western nations and the Uighur community in exile.
"The extent of arbitrary and discriminatory detention of members of Uyghur and other predominantly Muslim groups ... may constitute international crimes, in particular crimes against humanity," the report said, using an alternate spelling of Uighur.
"Serious human rights violations have been committed in XUAR [Xinjiang Uyghur Autonomous Region] in the context of the government's application of counter-terrorism and counter-'extremism' strategies," the UN report said.
The assessment raised concerns about the treatment of people held in China's so-called Vocational Education and Training Centres (VETCs).
"Allegations of patterns of torture or ill-treatment, including forced medical treatment and adverse conditions of detention, are credible, as are allegations of individual incidents of sexual and gender-based violence," the report said.