On July 30, the Ministry of State Security issued a reminder:
When out and about, feeling your phone battery drop below 50% is more alarming than a breakup! Shared power banks are the “cyber life-saving elixir” for modern urbanites, instantly boosting your sense of security when you plug in a data cable. However, it is shocking to discover that the evil hand has reached out to this small “lifeline.” It has been found that foreign espionage agencies and malicious individuals are using this to steal citizens’ personal privacy and even state secrets.

Don’t let charging lead to leaks
Mo Xuanmin, a technician at the Guangdong Provincial National Security Education Museum, explained that modified power banks contain “trojans” that can access phone data. When the data cable from the power bank is connected to the phone, the trojan is implanted, and the data on the phone will be sent back to the spy.
When users use these modified power banks, the trojan program will silently implant itself into the phone,stealing personal information such as contacts, text messages, photos, and videos, and even allowing covert operations through the camera and microphone,seriously threatening the user’s privacy security.
The photos taken by the camera can be displayed in real-time on the spy’s screen.
Cybersecurity is no small matter; even a small power bank can become a breach for information leakage. Therefore, one must remain vigilant when using unfamiliar power banks.
How does charging lead to leaks?
Power bank espionage is mainly achieved through three methods:
Hardware Implantation Attack: Raspberry Pi Disguise
-
Tool: A Raspberry Pi (microcomputer) is embedded into the power bank’s circuit board, costing less than 300 yuan.
-
Concealment: Even if the power bank is unplugged, the trojan remains in the phone’s background, continuously transmitting data.
-
Attack Process:

Exploitation of Software Vulnerabilities: Abuse of System Permissions
-
Android System: Inducing users to enable “Developer Mode” to gain root-level permissions via ADB (Android Debug Bridge), allowing silent installation of trojans and monitoring screen operations, directly accessing Alipay payment codes.
-
iOS System: Utilizing “Trust this Computer” to authorize access to sandbox data, combined with vulnerabilities to scrape account passwords saved in the Keychain.
Man-in-the-Middle Attack (Data Transmission Layer)
-
Some shared power bank apps or mini-programs transmit unencrypted structured data (such as name, gender) over encrypted channels, allowing hackers to intercept and use it for credential stuffing attacks. Tests by the Shanghai Consumer Protection Committee showed that 7 out of 10 mainstream brands had such vulnerabilities.
How to prevent espionage power banks?
Taking the following measures in daily life can help mitigate threats:
-
Reject suspicious authorization prompts, and never click on pop-ups like “Trust this device” or “Enable USB debugging.” Normal power banks do not require any permissions.
-
Physically isolate risks by using pure charging cables (only containing power pins, no data transmission function) or carrying a “charging data isolator.”
-
Strengthen device and system security: Android users should disable Developer Mode (Settings → System → Developer Options); iOS users should promptly revoke trust in “Settings → General → Device Management” after connecting.
-
Choose trusted charging channels, prioritizing the use of legitimate brand kiosks, and avoid power banks sold at train stations or those offered for free via QR codes, as they carry a high risk of modification.
Be cautious in these everyday scenarios
Embedding espionage devices in ordinary consumer goods and using their normal operational state as cover makes espionage activities more covert. How can we guard against such disguised cameras?
Stay alert and observe carefully; when checking into hotels or entering unfamiliar environments, thoroughly inspect the room. Pay attention to unusual structures or unknown small holes in common items such as sockets, smoke detectors, air conditioning vents, tissue boxes, wall clocks, and routers.
Consider equipping infrared camera detectors, signal scanners, and other tools to quickly identify hidden cameras or listening devices. For business travelers, it is recommended to carry portable anti-eavesdropping devices to enhance self-protection capabilities.
Cut off potential threat sources: When not using electronic devices such as TVs, speakers, or smart speakers, try to unplug them to prevent remote activation. Use WiFi shielding bags to protect phones and other devices from illegal access.
Enhance security awareness and avoid setting “weak passwords”
A weak password is one that is easy to crack, such as passwords formed by consecutive numbers, phone numbers, or birthdays. How should we set passwords in daily life?
-
Passwords should be at least 8 characters long; the longer the password, the harder it is to crack, and it should include uppercase and lowercase letters, numbers, and symbols.
-
Do not use personal information such as names, birthdays, or phone numbers as passwords.
-
It is recommended to change passwords every three months to reduce the risk of being cracked.
Counter-espionage and anti-theft require not only the specialized role of national security agencies but also the broad participation and joint prevention of the public.
Source: CCTV News, Ministry of State Security, Hubei Release, Xiao Tuo Talks about Confidentiality
Editor: Tian Yunfeng