Lacoon Mobile Security researchers recently came across a mobile remote access Trojan (mRAT) targeting protesters in Hong Kong, different versions of which are capable of infecting both Android and iOS devices.
According to the researchers, the Android malware is being delivered via links in WhatsApp phishing messages that state, “Check out this Android app designed by Code4HK, group of activist coders, for the coordination of Occupy Central!”
Code4HK is an actual group of activist coders in Hong Kong — though the group’s own website warns, “No one from the Code4HK community has done any application on [Occupy Central] at the moment nor sent the message out. Warning: Not recommended to connect to these IP addresses or URLs unless you know what you are doing.”
Android users who click on the link in the WhatsApp message receive an .apk file which, once installed, can steal almost any data from the device, upload files to the device, delete files from the device, call a number, and record audio.
While it’s not clear how many Android users may have already been infected by the malware, Lacoon CEO Michael Shaulov told the New York Times that in similar attacks in the past, one in 10 phones that received such messages became infected.
“These really cheap social engineering tricks, they have a high rate of success,” Shaulov said.
On iOS devices, the method of attack isn’t clear — Lacoon researchers discovered the iOS malware, which only works on jailbroken devices, on a command and control server for the Android malware. The identity of the command and control servers’ owners is hidden by a whois protection service.
Still, the iOS malware, which Lacoon calls Xsser, can extract and upload almost any information on the device, including SMS, email and instant messages, as well as location data, call logs, contact information, and user names and passwords.
“Cross-platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state,” Lacoon CTO and co-founder Ohad Bobrov wrote in a blog post describing the threat.
“The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s [the] first iOS Trojan linked to Chinese government cyber activity,” Bobrov added.
CrowdStrike co-founder and CTO Dmitri Alperovitch told the New York Times that more such attacks are likely in the coming weeks. “We expect to see a more aggressive tempo by the Chinese to try to spread disinformation, to try to compromise individuals that are involved from a public relations perspective,” he said.
While it’s groundbreaking to see government-sponsored malware targeting both Android and iOS devices, it’s worth noting that Xsser is hardly the first example of government-developed malware in the wild. Back in 2010, the Stuxnet malware, allegedly developed in the U.S. and Israel, targeted Iranian nuclear facilities; in October 2011, a Trojan was discovered that appeared to have been developed by the German government to intercept instant messages; in December 2012, FireEye researchers came across the Sanny malware, which appeared to have been developed in Korea to target Russia’s space research, information, education and telecom industries; and in July 2014, Sentinel Labs researchers detected malware called Gyges, which appeared to have originated in Russia as part of a government espionage campaign.