As thousands of protesters flood the streets of Hong Kong demanding a democratic election, the Chinese government is reportedly using sophisticated malware to spy on not only Android devices, but iOS devices as well.
But don’t worry about China peeking at your Snapchats. There has yet to be a widespread instance of iOS malware in the wild, and this particularly “advanced” trojan still requires a tremendous amount of complicit behavior on the victim’s part.
Originally targeted at Android devices, the phishing attack started spreading through a link shared on WhatsApp saying, “Check out this Android app designed by Code4HK for the coordination of OCCUPY CENTRAL!” Once the app is downloaded, the phone’s contents are sent to remote servers that appear to be controlled by the Chinese government.
Social media outlets like Instagram have been blocked in mainland China since the protests began. Protesters in Hong Kong have turned to messaging apps like FireChat that don’t require an internet connection.
Malware is much more prevalent on Android because it’s easier for the user to run unsigned code at the root level. On iOS, jailbreaking is required to perform similar functions and get past Apple’s restrictions. Only a small minority of iOS users jailbreak to begin with, although the practice is generally more common in Asia than North America.
Lacoon Mobile Security’s findings uncovered a trojan called Xsser used in Hong Kong that specifically targets iOS devices.
The Xsser mRAT is itself significant because while there have been other iOS trojans found previously, this is the first and most advanced, fully operational Chinese iOS trojan found to date. Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess. It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments.
Exactly how the trojan would get onto a jailbroken iPhone is unclear, because the user has to manually add the trojan’s source repo in Cydia, the jailbreak alternative to the App Store.
Update: Article updated with correction that social media has been blocked in mainland China, not Hong Kong.
