As thousands of people gather on the streets of Hong Kong demanding democratic elections, security researchers have uncovered two pieces of mobile malware appearing to be used by the Chinese government to keep a close eye on pro-democracy protesters.
The people of Hong Kong are protesting because they want to democratically elect a leader at the 2017 elections. The Chinese government initially promised not to interfere, but it later announced that it will vet leadership candidates.
Days after protests started, people taking part in the demonstrations started receiving messages on their Android phones through WhatsApp. The messages purport to come from a group of activist coders called “Code4HK” and they contain a link that allegedly leads to an app designed to help coordinate the protests.
Researchers at Lacoon Mobile Security have analyzed the app and determined that it’s actually a mobile remote access Trojan (mRAT) that’s designed to collect various types of information from infected devices.
The malware is designed to harvest address books, SMS messages, call logs, location, media files, emails, browser history, and information on the infected device, including its ID, CPU frequency, memory and network data.
While analyzing the command and control (C&C) server used by the threat, researchers came across an mRAT designed for iOS devices. The malware, dubbed “Xsser,” is capable of harvesting address books, call logs, SMS messages, app authentication data, location, operating system data, pictures, and communications from the popular Chinese messaging app Tencent.
Lacoon hasn’t been able to determine how Xsser mRAT is distributed, but researchers have pointed out that the malware only works on jailbroken devices.
“Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity,” Lacoon researchers wrote in a blog post.
“The Xsser mRAT is itself significant because it’s the first and most advanced, fully operational Chinese iOS trojan found to date. Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess. It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments,” they added.
The attackers have leveraged several services and techniques to make sure they can’t be identified. For example, the C&C servers are connected to a virtual private server (VPS) service and they can be accessed through the remote desktop protocol (RDP). Furthermore, a special China-based service has been used to protect the identity of the individuals who registered the C&C domains.
“Xsser is an example of what’s coming and why BYOD will be a disaster unless mobile operating systems are protected,” John Prisco, president and CEO of Triumfant, told SecurityWeek in an emailed statement. “Android is open but iOS is not. I am calling for Apple to cooperate and collaborate with the security industry to help us protect ourselves in this next wave of cyber-attacks.”