Hong Kong activists who have taken to the streets to demand electoral freedom are being targeted by mobile spyware – an Android and iOS remote-access Trojan to be precise.
Israeli security firm Lacoon Mobile Security spotted the Xsser mRAT spyware being distributed under the guise of an app to help coordinate the Occupy Central protests in the autonomous region.
Protestors were being targeted with the iOS trojan and a related Android spyware, the latter of which was sent over WhatsApp messages under the guise of local coder activist group Code4HK, according to researchers Shalom Bublil, Daniel Brodie and Avi Bashan.
Founder Ohad Bobrov said the manufacture of a targeted iOS and Android app appeared to indicate a well-resourced attacker, possibly the Chinese Government.
"Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organisation or nation state," Bobrov wrote.
"The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it's first iOS Trojan linked to Chinese Government cyber activity.
"When infected, Xsser mRAT exposes virtually any information on iOS devices including SMS, email, and instant messages, and can also reveal location data, usernames and passwords, call logs and contact information."
It would steal credentials for Apple ID, email accounts and other information in the iOS keychain which were uploaded to a remote server.
Bobrov said the Xsser mRAT, which despite its name did not include cross-site scripting (XSS) capabilities, was the most advanced "fully operational" Chinese iOS Trojan yet found.
The Android version requested access to the full suite of permissions including a users' contacts, location, browser and call history, and text messages, and was spread alongside text enticing users to install the malware.
The iOS version could only infect jailbroken iOS products which were as a result not bound by Apple's stricter application security requirements that banned third-party installation.
Xsser mRAT C&C's login. Lacoon Mobile Security.
The extent of the trojan's deployment is unknown, but it could be tailored for use in other spying campaigns.
Xsser mRAT was hosted on the same command and control domain as the Android malware. Researchers found the malware as a Debian package hosted on a private Cydia repository which installed an iOS launched service that booted the app on start up.
The attackers used a private domain registration to hide their IDs from a casual Whois search. Additional technical detail was available in the Lacoon blog. ®