Chinese government targets HK protester’s phones with malware (maybe) -

Chinese government targets HK protester’s phones with malware (maybe)

Douglas Crawford

Douglas Crawford

October 8, 2014

With its numbers shrinking rapidly, it seems the pro-democracy Occupy protests in Hong Kong may be entering their final stages. As the world looks on and hopes that the remarkable events of the past few weeks will lead to a more democratic Hong Kong, a number worrying aspects about the Chinese government’s response may hint otherwise.

One of these is the fact that the ‘Umbrella Revolution’ protestors have been deliberately targeted by Trojan malware spread through social media phishing attacks. Although no direct evidence exists that the malware was spread by the government, the fact that the attack used sophisticated ‘Xsser mRAT’ spyware, and was targeted at both iOS and Android users has raised suspicions (Xsser mRAT is iOS specific, but a very similar attack launched from the same server ( targeted Android users).

  RAT malware Android

Ohad Bobrov is the CEO of Israeli security firm Lacoon Mobile Security, which spotted the Remote Access Tojan (RAT) mobile spyware being distributed to Hong Kong demonstrators in the guise of an app aimed at co-ordinating protests. He noted that,

Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organisation or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS Trojan linked to Chinese Government cyber activity.

When infected, Xsser mRAT exposes virtually any information on iOS devices including SMS, email, and instant messages, and can also reveal location data, usernames and passwords, call logs and contact information.

Both the Android and iOS mRATs were spread through the WhatsApp mobile app, and was downloaded by many because it appeared  written by activist developer group Code4HK in support of the protests. The iOS version can only infect jailbroken phones, but jailbreaking phones is very popular in Hong Kong as it allows iOS users to access China/Hong Kong specific apps not published by the iTunes store (mainly through the Pangu portal).

Xsser mRSAT installation

Infected phones allow the attacker access to just about all data stored on the phone, including emails, messages, address book, GSM location data, and photos. In addition to this, the Android version allows attackers to make phone calls, record a phone’s surroundings, visit URLs to download files, and execute a host of other commands* (*we are note sure, but the app may need to rooted for an attacker to gain access to all these features). Scary indeed!

iOS attackers on the other hand can gain access to users’ passwords and usernames stored in the iOS keychain, as well as message archives from the Tencent app (a very popular social network in China). The existence of unimplemented commands in the code suggests that the iOS version of the spyware is not yet finished, and may be capable of causing additional damage in the future…