The National Cyber and Information Security Agency (hereinafter the "Agency") is issuing a security threat alert regarding the use of Tencent's WeChat mobile application. The app collects a large volume of user data which - along with the way the data is collected - could be used for precise cyberattacks. The company behind the WeChat app is Tencent, based in the People's Republic of China (PRC), which, according to verified information from the Agency, is closely linked to the Chinese government and the Chinese Communist Party.
The WeChat app is used by approximately 1.3 billion active users worldwide. It is most popular in the PRC and countries with larger Chinese communities. In the Czech Republic, only about 40,000 people use the app, but among these users is a significant number of high-profile individuals such as diplomats, businesspeople, scholars, or Chinese dissidents. Their sensitive data collected by WeChat could thus be misused in the future, for example, for blackmail or coercion.
The threat associated with the WeChat app is very similar to the threat surrounding the TikTok app operated by the Chinese company ByteDance, which the Agency warned about on March 8, 2023. "We are issuing this security threat alert not only based on our own analysis, but also on information from our domestic and foreign partners. However, compared to TikTok, the number of users on the WeChat platform is significantly lower, which is why in this case we are issuing a security threat alert instead of a warning," explains Lukáš Kintr, the director of the Agency.
WeChat is a social media and messaging mobile app with many additional features. It is developed and operated by Tencent, a company based in Shenzhen, China. Tencent is an entity subject to strict Chinese national legislation and regulations. For example, the State Security Law of 2015, the 2017 Law on State Intelligence Activities, the Companies Law of 2013, and the Regulations for Reporting Vulnerabilities in Network Devices require individuals and entities to cooperate with Chinese authorities, even against the interests of their international partners or customers. According to publicly available sources and information from the Agency's partners, Tencent is intertwined with the PRC public administration and the Chinese Communist Party. The PRC's influence operations in the Czech Republic leads to concerns of misuse of the data collected by the app
WeChat has already been banned in India, Canada, and some US states. This year, the Netherlands issued a recommendation for government employees not to use apps from countries that conduct offensive cyber operations against the state. Similarly, Canada banned the app in 2023 on government devices.
Recommendations of the Agency
"If you need to use WeChat, it is advisable to have the app installed on a separate device from the one you use for all other purposes. If this is not possible, we recommend you keep it on your device only for the strictly necessary period of time and only allow permissions that are required for its functioning," stated the Agency's Director Lukáš Kintr.
In the case of the WeChat app, the Agency has issued a security threat alert – therefore it is not a warning under the Act on Cyber Security, as was the case with the TikTok app. Even so, the Agency believes it is advisable not to underestimate the threat associated with using the WeChat app and to accordingly adapt or significantly restrict further use.
The full security threat alert can be found at the link: https://nukib.gov.cz/download/publications_en/WeChat_Security%20Threat%20Alert.pdf