You dirty RAT! Hong Kong protesters infected by iOS, Android spyware

Did China fling remote access Trojan at Occupy Central?


Hong Kong activists who have taken to the streets to demand electoral freedom are being targeted by mobile spyware – an Android and iOS remote-access Trojan to be precise.

Israeli security firm Lacoon Mobile Security spotted the Xsser mRAT spyware being distributed under the guise of an app to help coordinate the Occupy Central protests in the autonomous region.

Protestors were being targeted with the iOS trojan and a related Android spyware, the latter of which was sent over WhatsApp messages under the guise of local coder activist group Code4HK, according to researchers Shalom Bublil, Daniel Brodie and Avi Bashan.

Founder Ohad Bobrov said the manufacture of a targeted iOS and Android app appeared to indicate a well-resourced attacker, possibly the Chinese Government.

"Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organisation or nation state," Bobrov wrote.

"The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it's first iOS Trojan linked to Chinese Government cyber activity.

"When infected, Xsser mRAT exposes virtually any information on iOS devices including SMS, email, and instant messages, and can also reveal location data, usernames and passwords, call logs and contact information."

Xsser mRAT

Xsser mRAT: Lacoon Mobile Security

It would steal credentials for Apple ID, email accounts and other information in the iOS keychain which were uploaded to a remote server.

Bobrov said the Xsser mRAT, which despite its name did not include cross-site scripting (XSS) capabilities, was the most advanced "fully operational" Chinese iOS Trojan yet found.

The Android version requested access to the full suite of permissions including a users' contacts, location, browser and call history, and text messages, and was spread alongside text enticing users to install the malware.

The iOS version could only infect jailbroken iOS products which were as a result not bound by Apple's stricter application security requirements that banned third-party installation.

Xsser mRAT C&C's login. Lacoon Mobile Security.

The extent of the trojan's deployment is unknown, but it could be tailored for use in other spying campaigns.

Xsser mRAT was hosted on the same command and control domain as the Android malware. Researchers found the malware as a Debian package hosted on a private Cydia repository which installed an iOS launched service that booted the app on start up.

The attackers used a private domain registration to hide their IDs from a casual Whois search. Additional technical detail was available in the Lacoon blog. ®

Broader topics


Other stories you might like

  • Google sours on legacy G Suite freeloaders, demands fee or flee

    Free incarnation of online app package, which became Workplace, is going away

    Google has served eviction notices to its legacy G Suite squatters: the free service will no longer be available in four months and existing users can either pay for a Google Workspace subscription or export their data and take their not particularly valuable businesses elsewhere.

    "If you have the G Suite legacy free edition, you need to upgrade to a paid Google Workspace subscription to keep your services," the company said in a recently revised support document. "The G Suite legacy free edition will no longer be available starting May 1, 2022."

    Continue reading
  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining this science, maybe not

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading

Biting the hand that feeds IT © 1998–2022