Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Malware & Threats

Chinese Government Suspected of Using iOS, Android RATs Against Protesters

As thousands of people gather on the streets of Hong Kong demanding democratic elections, security researchers have uncovered two pieces of mobile malware appearing to be used by the Chinese government to keep a close eye on pro-democracy protesters.

As thousands of people gather on the streets of Hong Kong demanding democratic elections, security researchers have uncovered two pieces of mobile malware appearing to be used by the Chinese government to keep a close eye on pro-democracy protesters.

The people of Hong Kong are protesting because they want to democratically elect a leader at the 2017 elections. The Chinese government initially promised not to interfere, but it later announced that it will vet leadership candidates.

Days after protests started, people taking part in the demonstrations started receiving messages on their Android phones through WhatsApp. The messages purport to come from a group of activist coders called “Code4HK” and they contain a link that allegedly leads to an app designed to help coordinate the protests.

 Researchers at Lacoon Mobile Security have analyzed the app and determined that it’s actually a mobile remote access Trojan (mRAT) that’s designed to collect various types of information from infected devices.

The malware is designed to harvest address books, SMS messages, call logs, location, media files, emails, browser history, and information on the infected device, including its ID, CPU frequency, memory and network data.

While analyzing the command and control (C&C) server used by the threat, researchers came across an mRAT designed for iOS devices. The malware, dubbed “Xsser,” is capable of harvesting address books, call logs, SMS messages, app authentication data, location, operating system data, pictures, and communications from the popular Chinese messaging app Tencent.

Lacoon hasn’t been able to determine how Xsser mRAT is distributed, but researchers have pointed out that the malware only works on jailbroken devices. 

“Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity,” Lacoon researchers wrote in a blog post.

Advertisement. Scroll to continue reading.

“The Xsser mRAT is itself significant because it’s the first and most advanced, fully operational Chinese iOS trojan found to date. Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess. It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments,” they added.

The attackers have leveraged several services and techniques to make sure they can’t be identified. For example, the C&C servers are connected to a virtual private server (VPS) service and they can be accessed through the remote desktop protocol (RDP). Furthermore, a special China-based service has been used to protect the identity of the individuals who registered the C&C domains.

“Xsser is an example of what’s coming and why BYOD will be a disaster unless mobile operating systems are protected,” John Prisco, president and CEO of Triumfant, told SecurityWeek in an emailed statement. “Android is open but iOS is not. I am calling for Apple to cooperate and collaborate with the security industry to help us protect ourselves in this next wave of cyber-attacks.” 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.