Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Xsser Malware Targeting iOS, Android Devices

Researchers at Akamai Technologies released an advisory today about a mobile remote access Trojan (mRAT) used to target iOS and Android devices.

Researchers at Akamai Technologies released an advisory today about a mobile remote access Trojan (mRAT) used to target iOS and Android devices.

The Xsser mRAT is spread through man-in-the-middle and phishing attacks, according to Akamai’s Prolexic Security Engineering and Research Team (PLXsert). The researchers believe the malware is being used by an organized group targeting owners of specific phones and software vendors with the goal of stealing credentials, hijacking browsing sessions or execute code at the compromised devices.

The activity began in September and has been observed mostly in Asia. The attacks have focused on software vendors, software-as-a-service (SaaS) providers and Internet service providers, and have also attempted to serve malicious applications via phishing techniques or by impersonating legitimate websites. Other attacks use phishing to trick users into downloading applications being hosted on third-party repositories.

David Fernandez, manager of the Akamai PLXsert team, told SecurityWeek that the attacks are not widespread as of yet. As of now, the command-and-control has been taken down, the advisory notes. 

While the malware previously only impacted Android, the latest variant of the malware affects jailbroken iOS devices, according to the advisory.

“The app is installed via a rogue Cydia repository and once the bundle has been installed and executed, it gains persistence,” the advisory notes. “It then makes server-side checks and proceeds to exfiltrate data from the user’s device and executes remote commands from its commandand-control (C2) server.”

“Sophisticated malicious actors are targeting unsuspecting mobile device users,” said Stuart Scholly, senior vice president and general manager of the Security Business Unit at Akamai, in a statement. “Attackers are impersonating or bypassing Google and Apple app stores and using social engineering to trick users into downloading unverified apps that install malicious applications such as the Xsser remote access Trojan onto a user’s mobile device. For example, attackers offered a counterfeit Flappy Birds app download to deliver the malicious software.”

“Infected phones with the remote access software installed could be used for a wide variety of malicious purposes including surveillance, the stealing of login credentials, launching distributed denial of service (DDoS) attacks, and more,” added Scholly. “With more than a billion smartphone users worldwide, this kind of malware creates significant risks to privacy and a risk of rampant illegal activity.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.