An iOS version of an Android espionage Trojan targeting activists and protester in Hong Kong has been discovered and is on the same command-and-control server the Android malware is currently running on.
Lacoon Mobile Security researchers have identified an iOS version of a mobile remote access Trojan dubbed, Xsser, affecting only jailbroken iOS devices. Lacoon is calling this the “first iOS trojan linked [the] to Chinese government,” previously in April a German security consulting agency known as SektionEins reported an iOS malware campaign dubbed, Unflod Baby Panda, that too targeted jailbroken iOS devices and was found linked to China as well.
Two years ago, Citizen Lab at the Munk School of Global Affairs at the University of Toronto published a paper on the use of an iOS Trojan to spy on protesters in the Middle East. The malware they identified was connected to the popular FinFisher toolkit, a high powered government surveillance tool.
Governments around the world have targeted activists with previously discovered Android malware that performs similar actions such as reporting back device data, siphoning off configuration data along with targeting its physical location based on cell tower information. Many governments have been caught spying on their citizens as well as stealing data from their devices.
Many mobile device Trojans are known for tracking users locations, SMS logging, call recording and contact exfiltration according to security experts.
While Lacoon’s discovery doesn’t seem to be correlated to any previous iOS Trojans, it houses a number of similarities found in popular mobile Trojans. Lacoon researchers said that both the Android and iOS Trojans discovered are able to extract address book information, SMS messages, call logs, location data based on cell tower information, steal photographs, steal Operating System data, steal data stored in Tencent QQ Archive, a popular messaging app ‘QQ’ in China, and passwords among other authentication information used by the iOS keychain.
“Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess,” wrote Lacoon researchers Shalom Bublil, Daniel Brodie, and Avi Bashan. “It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments.”
Lacoon said its researchers stumbled upon the iOS Xsser Trojan while investigating an Android malware sample they found to be used in an attack against protesters involved in the Occupy Central pro-democracy movement in Hong Kong. The Android malware posed as an application that would help Occupy Central protesters coordinate demonstrations, and was distributed via WhatsApp messages from an anonymous source pretending to be the Code4HK activists coder. Victims clicking on the link were infected with a remote access Trojan (RAT). Lacoon researchers who inspected a domain distributing the Android malware found that it acted as a command-and-control server for the malware and contained a Cydia repository for an iOS RAT.
Attackers are taking advantage of users’ access to jailbroken iOS devices. Jailbreaking an iOS device gives users greater control and the ability to bypass software restrictions. As it gives users greater access to install hacks and tweaks on their iOS devices, it also lowers security and opens holes throughout the device.
Lacoon researchers said that servers used by the attackers are protected by a virtual private server (VPS) service and can be easily accesses remotely via remote desktop (RDP) connections.
“Upon trying to investigate the identities of the connected domains further, it appears the attackers have made quite an effort to maintain their anonymity by using a Whois protection service,” Lacoon researchers said. “This is essentially a Chinese company that provides customers with a registration service for domain to avoid a connection to the real domain owners.”