The very tool (cell phones) that has allowed millions of previously disconnected people to coordinate large civil protests in numerous countries is now being used to quash dissent in Hong Kong. If recent reports are proven correct, it appears that the cell phones of pro-democracy protesters in Hong Kong are deliberately being targeted with an app that is used as a “Trojan Horse” to infect protesters’ phones with spyware dubbed as Xsser mRAT. The spyware is intended to allow “someone” to monitor the communications of the protesters.
Specifically, the spyware is spread when anonymous messages are sent via WhatsApp to smartphones stating, “Check out this Android app designed by Code4HK for the coordination of OCCUPY CENTRAL!” Occupy Central denies any association with the app or sypware. Once the app is downloaded, it implants spyware capable of accessing personal information, such as passwords and bank information, spying on phone calls and messages, and even tracking the physical location of the infected phone. An examination of the code suggests that the program was created by Chinese-speaking attackers. Because the target audience is the Hong Kong protesters and the code was written in Chinese, it suggests that the Chinese government and/or the highly-skilled cyber warfare arm of its military are behind the attack.
Lacoon Mobile Security was instrumental in exposing the effort to suppress the pro-democracy protests in Hong Kong. As discussed by Lacoon, the attack is rare in that it was launched on both the Android and iOS platforms. On its September 30 blog post, Lacoon noted:
Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity.
The Xsser mRAT is itself significant because while there have been other iOS trojans found previously, this is the first and most advanced, fully operational Chinese iOS trojan found to date. Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess. It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments.
Attacking mobile devices instead of PCs should not come as a surprise in light of our increased dependence on smartphones. As these devises become the hub through which a vast majority of our daily communications flows, they will increasingly be targeted by those who wish to spy on or disrupt our communications. Governments may be early adopters of smartphone-based cyber attacks, but those engaged in for-profit hacks will not be far behind—especially if mobile payment systems such as Apple Pay and those promoted by Visa/MasterCard gain in popularity.