[Chapter-delegates] HK Protesters Targeted with Spyware

Wed Oct 1 17:17:16 PDT 2014

Protesters in Hong Kong calling for democracy reforms are being targeted by
spyware that can affect both iPhones and smartphones running Google’s
Android software, a security company claims.

However the iPhone users among the thousands of protesters should be safe
if they have not bypassed Apple’s security system to “jailbreak” their
phones to install unapproved apps.

The discovery marks the second time that the demonstrators’ phones appear
to have been targeted since the protests began last week.

Dubbed Xsser mRAT by Israeli firm Lacoon Mobile Security, the malware is
being run from the same server as a malicious program targeting Android
phones spotted last week
<http://www.scmp.com/news/hong-kong/article/1594667/fake-occupy-central-app-targets-activists-smartphones>.
That masqueraded as an app for the Occupy Central pro-democracy movement
and was spread via messages on the cross-platform Whatsapp messaging system
which urged readers to “Check out this Android app designed by Code4HK for
the coordination of Occupy Central!”. Protest organisers said none of its
members had developed or distributed the application.

Lacoon said the Chinese government, which has been accused of various
digital attacks on activists in recent years, was likely coordinating the
attacks – though there is no proof the iPhone malware has infected any of
the protesters’ phones. Only those which have been “jailbroken” by the
owner to circumvent Apple’s normal security against unauthorised apps are
vulnerable. However some users in Asia have jailbroken their iPhones in
order to install local apps that are not approved for Apple’s App Store, or
run special software. The malware does not itself appear to be able to
jailbreak the iPhones.

The version targeting Android smartphones can spy on the user because it
masquerades as an app for organising the protest - and requests access to
the owner’s phone address book, web browsing history, location, text
messages, and phone call log. It can also record audio. Those details can
then be sent to a web server in South Korea which appears to be controlled
by a source in mainland China. If successfully installed, the iPhone
malware collects the same data.

“Cross-platform attacks that target both iOS [iPhone] and Android devices
are rare, and indicate that this may be conducted by a very large
organisation or nation state,” Lacoon co-founder Ohad Bobrov said in ablog
post
<https://www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/>.
“The fact that this attack is being used against protesters and is being
executed by Chinese-speaking attackers suggests it’s first iOS trojan
linked to Chinese government cyber activity.”

The US-based Electronic Frontier Foundation noted the likelihood of anyone
involved in the Hong Kong protests getting infected was not high, given iOS
devices had to be jailbroken and Android users still had to be tricked into
downloading the malicious software, which was not on the official Google
Play market and was not spreading on its own.

The EFF also said that just because the iOS and Android malware are run
from the same servers does not mean they are both are aimed at Hong Kong
protesters.

Claudio Guarnieri, a security expert now working to help activists across
the globe, said over Twitter the iOS malware didn’t seem unique and was
certainly not advanced as Lacoon had suggested, nor was there any evidence
it was hitting Hong Kong protesters.

But onlookers are still concerned about the range of malware targeting
activists over different platforms. Security firm Kaspersky Lab confirmed
it had also seen various examples of malicious apps for iOS and Android, as
well as spyware samples for other platforms, related to the Hong Kong
protests.

“Since nearly every part of our lives now has a digital aspect to it, it’s
no surprise, in a situation like this, to discover that there are those who
wish to steal information from those involved. It is not the first nor the
last attack of this kind. We previously observed both targeted and
cybercriminal attacks against mobile users. This is unlikely to stop
anytime soon, on the contrary, we are witnessing a steady growth of mobile
malware,” said David Emm, principal security researcher at Kaspersky Lab.

Guarnieri told the Guardian attacks over mobile on activists “have been
happening for a while already and certainly won’t stop”.

“By experience I see many activists putting an inherent trust in their
phones while growing a distrust in their computers, and that leads
sometimes to irresponsible use of both those technologies.”

In June, so-called “lawful interception” technology was seen posing as a
genuine Android news app, which appeared to be targeting people linked to
political protest in eastern Saudi Arabia
<http://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/>.
Analyses of government-grade iOS malware date back to at least 2012.
Glenn McKnight
mcknight.glenn at gmail.com
skype  gmcknight
twitter gmcknight
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20141001/7a602008/attachment.htm>