Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Chinese Government Suspected of Using iOS, Android RATs Against Protesters

As thousands of people gather on the streets of Hong Kong demanding democratic elections, security researchers have uncovered two pieces of mobile malware appearing to be used by the Chinese government to keep a close eye on pro-democracy protesters.

As thousands of people gather on the streets of Hong Kong demanding democratic elections, security researchers have uncovered two pieces of mobile malware appearing to be used by the Chinese government to keep a close eye on pro-democracy protesters.

The people of Hong Kong are protesting because they want to democratically elect a leader at the 2017 elections. The Chinese government initially promised not to interfere, but it later announced that it will vet leadership candidates.

Days after protests started, people taking part in the demonstrations started receiving messages on their Android phones through WhatsApp. The messages purport to come from a group of activist coders called “Code4HK” and they contain a link that allegedly leads to an app designed to help coordinate the protests.

 Researchers at Lacoon Mobile Security have analyzed the app and determined that it’s actually a mobile remote access Trojan (mRAT) that’s designed to collect various types of information from infected devices.

The malware is designed to harvest address books, SMS messages, call logs, location, media files, emails, browser history, and information on the infected device, including its ID, CPU frequency, memory and network data.

While analyzing the command and control (C&C) server used by the threat, researchers came across an mRAT designed for iOS devices. The malware, dubbed “Xsser,” is capable of harvesting address books, call logs, SMS messages, app authentication data, location, operating system data, pictures, and communications from the popular Chinese messaging app Tencent.

Lacoon hasn’t been able to determine how Xsser mRAT is distributed, but researchers have pointed out that the malware only works on jailbroken devices. 

“Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity,” Lacoon researchers wrote in a blog post.

“The Xsser mRAT is itself significant because it’s the first and most advanced, fully operational Chinese iOS trojan found to date. Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess. It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments,” they added.

The attackers have leveraged several services and techniques to make sure they can’t be identified. For example, the C&C servers are connected to a virtual private server (VPS) service and they can be accessed through the remote desktop protocol (RDP). Furthermore, a special China-based service has been used to protect the identity of the individuals who registered the C&C domains.

“Xsser is an example of what’s coming and why BYOD will be a disaster unless mobile operating systems are protected,” John Prisco, president and CEO of Triumfant, told SecurityWeek in an emailed statement. “Android is open but iOS is not. I am calling for Apple to cooperate and collaborate with the security industry to help us protect ourselves in this next wave of cyber-attacks.” 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...