The protesters are dependent on mobile apps to coordinate their huge, seemingly unstoppable uprising, and someone — maybe the Politburo, maybe a contractor — has released virulent Ios and Android malware into their cohort, and the pathogens are blazing through their electronic ecosystem.
The Android malware spreads via Whatsapp messages; the Ios version — "Xsser Mrat" — is spread through Cydia, an alternative to Apple's App Store. They masquerade as messenger apps from the activist group Code4HK. The Apple version uses the same command server as the Chinese version of the Xsser cross-site scripting hacking tool.
Once installed, the malware — a form of RAT, or Remote Access Trojan — can access the devices' messages, passwords, photos, videos, and keystrokes. Additionally, the Android version can send messages, place calls, upload files and run other local commands.
The major analysis of the malware has been undertaken by Lacoon Mobile Security, whose post on their discoveries (see also) is a must-read.
Like other iOS RATs, this malware requires that the device be jailbroken in order for it to be installed—it’s not something that users download from the Apple app store. But that step may have been aided by the prevalence of public jailbreaks for iOS devices in China to gain access to local applications not published through Apple’s iTunes store, thanks largely to Pangu. Xsser mRAT installs through Cydia, an alternative to the iTunes store for jailbroken devices, as a Debian .deb package file.
Both the Android and iOS mRATs can pull huge swaths of data from the infected devices: hardware and operating system information, address books, call logs, SMS messages, location data, and photos, for starters. The Android version can also record audio, place calls, execute other commands on the device, and download files from a URL or directly from the remote attacker’s computer.
The iOS mRAT, according to Lacoon researchers, can also gain access to passwords and usernames stored in the iOS keychain and the local archives for Tencent’s Mobile QQ, a popular Chinese messaging application. The breakdown of Xsser mRAT also found a number of unimplemented commands in the code, indicating that the Trojan is still under development and additional features may be pushed out to infected devices. Included among the referenced, but unimplemented, commands were features already in the Android mRAT—sending SMS messages, placing phone calls, running local commands, and uploading files to the device.
Identifying exactly who’s behind these mRAT Trojans isn’t easy. The servers for their CnC network are virtual Windows servers hosted on a Chinese virtual private server (VPS) service, the identity of which is s hidden behind a “whois protection service” operated by Jiangsu Bangning Science and Technology Co. Ltd—a Chinese ISP and domain registration services company. Similar tactics have been used by other cybercriminals based out of China—and other countries—in the past.
Year of the RAT: China’s malware war on activists goes mobile [Sean Gallagher/Ars Technica]
(Image: occupy-central-parade-of-culprit-ef-24-70mm-f4l-is-1d4-cr-9614, alcuin lai, CC-BY-SA)