Xsser iOS Trojan Spying on Hong Kong Protesters

Lacoon Mobile Security unearthed a sophisticated iOS Trojan named Xsser mRAT (mobile Remote Access Trojan), used to target pro-democracy protesters, in the Occupy Central protests in Hong Kong.

Trojan or Trojan horses are malwares that masquerades and as legitimate and useful apps, only to create a backdoor for unauthorized access to files in an infected system.  They are not new to iOS user, but Xsser is unique due to its timing and origin. Lacoon called it “the first and most advanced, fully operational Chinese iOS Trojan found to date.”

Once your devices has been infected, Xsser exposes all our personal information, including SMS, email, and instant messages, and can also reveal location data, usernames and passwords, call logs and contact information. Such information is enough to give the attackers your true identity, compromising privacy and security.

Xsser was discovered by Lacoon researchers who were investigating another Android spyware that have been raking havoc in Hong-Kong. The Android spyware disguising as app to help coordinate protests, was spread by attackers through WhatsApp messages.

Activists were receiving WhatsApp messages from anonymous numbers reading “Check out this Android app designed by Code4HK, group of activist coders, for the coordination of Occupy Central!” reported Lacoon. Once victims click the link, their devices are infected with an advanced mRAT, or mobile Remote Access Trojan.

Code4HK a programming community that is supporting the pro-democracy, have since denied any involvement in engineering of the two malware, leaving the Chinese government as the most probable culprit.

“Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s the first iOS Trojan linked to the Chinese Government.” Read the company’s blog post

The new iOS Trojan is related to android spyware in that they both shared a Control and Command (CnC) server. That means both spyware could be engineered a same attacker from China. “It is the first time in history that you actually see an operationalized iOS Trojan that is attributed to some kind of Chinese entity,” reported Lacoon’s blog.

Lacoon’s CEO Mike Shaulov, told Reuters that mRAT Xsser is the most sophisticated malware ever targeted on iOS users.  “This is one the most interesting developments we have seen. It’s the first real indication that really sophisticated guys are shifting from infecting PCs or laptops to going after iOS devices.” Said Shaulov.

Despite the fact that Xsser mRAT malware seem to primarily target pro-democracy protestors in Hong Kong, Lacoon warns that the iOS Trojan does not discriminate Chinese and non-chines victims. It could be used elsewhere with far reaching effects. “It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments,” stated Lacoon on the company blog.

The extent and severity of Xsser threat is not clear. Lacoon is yet to come up with a precise figure of the affected victims. Jeremy Linden, a regular writer on security issues holds that the “Xsser mRAT does not pose an immediate risk to iOS devices in Hong Kong or elsewhere”. The malware requires several steps before it van successfully compromise a devices, reducing the treat level the threat significantly.

For a successful attack, the iOS device must be jailbroken, the Cydia app must be installed, a new Cydia repository must be added and finally the Xsser mRAT package must be installed from that specific repository. That means the attacker must either gain physical access to the target device or more unlikely convince the victim to complete the steps themselves.

Linden further questions the Lacoon’s argument that the iOS Trojan can “cross borders easily”. In his argument, Jailbroken devices are only common Asia and thus its unlikely for the malware to cross over to the western hemisphere where jailbreaking is uncommon. He concludes that a large scale iOS infection through Xsser is “highly impractical and unlikely”.

Whichever ever way you look at it, nobody refute the abilities Xsser to access and compromise the security of the users.  It proves that social engineering could be used to steal sensitive information from unsuspecting users. In this case attackers used the protests in Hong Kong to gain the trust of the victims. In future attackers may use a more innocent event such as a sporting activity or trade fare, to target and install malicious app in iOS devices.

Xsser is a major setback to Hong protestors who rely heavily on social media such as Facebook, twitter and other communication App to manage and organize the Occupy central protest.

Communication in China is highly censored, Xsser only adds to the misery of protestors. The Chinese government allegedly blocked Instagram and Facebook in China, in attempt to detract demonstrators from posting photos and messages of the #Occupycentral protests.

Meanwhile, locals have turned to FireChat, an offline messaging app, as an alternative communication mode. The FireChat app downloaded over 100,000 in less than a day according to CEO Micha Boneli. Under the free service users can share messages with other FireChat customers.

Ali Raza Ali is a freelance journalist, having 5 years of experience in web journalism and marketing. He contributes to various online publications. With a Master degree, now he combines his passions for writing about internet security and technology for SecurityGladiators. When he is not working, he loves traveling and playing games.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.