Researchers at Akamai Technologies released an advisory today about a mobile remote access Trojan (mRAT) used to target iOS and Android devices.
The Xsser mRAT is spread through man-in-the-middle and phishing attacks, according to Akamai’s Prolexic Security Engineering and Research Team (PLXsert). The researchers believe the malware is being used by an organized group targeting owners of specific phones and software vendors with the goal of stealing credentials, hijacking browsing sessions or execute code at the compromised devices.
The activity began in September and has been observed mostly in Asia. The attacks have focused on software vendors, software-as-a-service (SaaS) providers and Internet service providers, and have also attempted to serve malicious applications via phishing techniques or by impersonating legitimate websites. Other attacks use phishing to trick users into downloading applications being hosted on third-party repositories.
David Fernandez, manager of the Akamai PLXsert team, told SecurityWeek that the attacks are not widespread as of yet. As of now, the command-and-control has been taken down, the advisory notes.
While the malware previously only impacted Android, the latest variant of the malware affects jailbroken iOS devices, according to the advisory.
“The app is installed via a rogue Cydia repository and once the bundle has been installed and executed, it gains persistence,” the advisory notes. “It then makes server-side checks and proceeds to exfiltrate data from the user’s device and executes remote commands from its commandand-control (C2) server.”
“Sophisticated malicious actors are targeting unsuspecting mobile device users,” said Stuart Scholly, senior vice president and general manager of the Security Business Unit at Akamai, in a statement. “Attackers are impersonating or bypassing Google and Apple app stores and using social engineering to trick users into downloading unverified apps that install malicious applications such as the Xsser remote access Trojan onto a user’s mobile device. For example, attackers offered a counterfeit Flappy Birds app download to deliver the malicious software.”
“Infected phones with the remote access software installed could be used for a wide variety of malicious purposes including surveillance, the stealing of login credentials, launching distributed denial of service (DDoS) attacks, and more,” added Scholly. “With more than a billion smartphone users worldwide, this kind of malware creates significant risks to privacy and a risk of rampant illegal activity.”
