An iOS version of an Android espionage Trojan targeting activists and protestors in Hong Kong has been discovered on the command and control server hosting the Android malware.
The iOS version, a mobile remote access Trojan dubbed Xsser by Lacoon Mobile Security, affects only jailbroken iOS devices. Lacoon is calling this the first such iOS Trojan used in a China-sponsored nation-state attack, but in April a German security consultancy called SektionEins reported on an iOS malware campaign it called Unflod Baby Panda. It too targeted jailbroken iOS devices and was linked to China.
Two years ago, Citizen Lab at the Munk School of Global Affairs at the University of Toronto, published a paper on the use of an iOS Trojan to spy on dissidents in the Middle East. That malware was connected to the controversial FinFisher toolkit, commercially sold spyware used to record calls, download device information and stored data, and provide location data to a remote server.
In the past, Tibetan activists have been targeted by Android malware that performs similar duties, reporting back device data and configuration information to a centralized server as well as the physical location of a target based on cell tower information. For activists in oppressed areas of the world such as Tibetans living in China or in exile, protestors in Hong Kong, or dissidents in Syria or Bahrain, such spyware puts their physical well-being at risk.
“Location tracking, SMS logging, call recording, and contact exfiltration are all popular capabilities of mobile Trojans. We’re even seeing this type of capability in the ‘spyware’ apps that are showing up in domestic abuse cases,” said Morgan Marquis-Boire, researcher at Citizen Lab. Marquis-Boire has authored a number of research papers on government-sponsored spyware, including the FinFisher mobile spyware.
While the sample uncovered by Lacoon doesn’t seem to be related to the previous iOS Trojans, their capabilities are in line. Lacoon said both the Android and iOS Trojans it discovered are able to extract address book information, SMS messages, call logs, location data based on cell tower information, photographs, OS data, data stored by Tencent Archive, a popular messaging app in China, and passwords and other authentication information used by the iOS keychain.
“Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess,” wrote Lacoon researchers Shalom Bublil, Daniel Brodie, and Avi Bashan. “It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments.”
Lacoon said its researchers happened upon the iOS Trojan while investigating an Android sample used in an attack against protestors involved in the Occupy Central pro-democracy movement in Hong Kong. Links to the malware, posing as an app that could be used to help coordinate Occupy Central demonstrations, were sent via WhatsApp messages from an anonymous source pretending to be Code4HK activist coders. Recipient clicking on the link are infected by the RAT. Lacoon researchers inspecting a domain extracted from the malware sample found that it acted as a command and control server for the malware and contained a Cydia repository for an iOS RAT.
The attackers are taking advantage of users’ access to jailbroken iOS devices.
“Jailbreaking gives the user great control of their device, but can lead to lowered security,” Marquis-Boire said. “Jailbroken iPhones are definitely more vulnerable to malware than stock factory versions.”
Lacoon researchers said the servers used by the attackers are protected by a virtual private server service and can be accessed remotely.
“Upon trying to investigate the identities of the connected domains further, it appears the attackers have made quite an effort to maintain their anonymity by using a Whois protection service,” the researchers said. “This is essentially a Chinese company that provides customers with a registration service for domain to avoid a connection to the real domain owners.”