[Chapter-delegates] HK Protesters Targeted with Spyware

chester at soong.net chester at soong.net
Wed Oct 1 23:58:45 PDT 2014 

Dear All,

I joined the protest for 3 days and some of my friends in 
the IT profession were there on the most violent day and 
being pepper-sprayed, hit, and tear-gased!

We did worry about that but the Chief Executive of HK can, 
under his authority, to shut down and intercept all 
telecommunications on an executive order. So most of us 
have turned to Firechat now, and we almost held a talk 
with Micha Benoliel as he happened to be in HK. Now, it is 
not about getting your phone hacked or communications 
sniffed anymore. It has gone back to traditional 
government suppressing of protests with people 
infiltrating into the largely peaceful protests and stir 
up unrests! Honestly, I worry about how this will end. 
This has gone beyond the Internet, but it has helped us so 
far in spreading the truth and unveiling the issues.

Regards,


Chester

On Wed, 1 Oct 2014 20:17:16 -0400
  Glenn McKnight <mcknight.glenn at gmail.com> wrote:
> Protesters in Hong Kong calling for democracy reforms 
>are being targeted by
> spyware that can affect both iPhones and smartphones 
>running Google’s
> Android software, a security company claims.
> 
> However the iPhone users among the thousands of 
>protesters should be safe
> if they have not bypassed Apple’s security system to 
>“jailbreak” their
> phones to install unapproved apps.
> 
> The discovery marks the second time that the 
>demonstrators’ phones appear
> to have been targeted since the protests began last 
>week.
> 
> Dubbed Xsser mRAT by Israeli firm Lacoon Mobile 
>Security, the malware is
> being run from the same server as a malicious program 
>targeting Android
> phones spotted last week
> <http://www.scmp.com/news/hong-kong/article/1594667/fake-occupy-central-app-targets-activists-smartphones>.
> That masqueraded as an app for the Occupy Central 
>pro-democracy movement
> and was spread via messages on the cross-platform 
>Whatsapp messaging system
> which urged readers to “Check out this Android app 
>designed by Code4HK for
> the coordination of Occupy Central!”. Protest organisers 
>said none of its
> members had developed or distributed the application.
> 
> Lacoon said the Chinese government, which has been 
>accused of various
> digital attacks on activists in recent years, was likely 
>coordinating the
> attacks – though there is no proof the iPhone malware 
>has infected any of
> the protesters’ phones. Only those which have been 
>“jailbroken” by the
> owner to circumvent Apple’s normal security against 
>unauthorised apps are
> vulnerable. However some users in Asia have jailbroken 
>their iPhones in
> order to install local apps that are not approved for 
>Apple’s App Store, or
> run special software. The malware does not itself appear 
>to be able to
> jailbreak the iPhones.
> 
> The version targeting Android smartphones can spy on the 
>user because it
> masquerades as an app for organising the protest - and 
>requests access to
> the owner’s phone address book, web browsing history, 
>location, text
> messages, and phone call log. It can also record audio. 
>Those details can
> then be sent to a web server in South Korea which 
>appears to be controlled
> by a source in mainland China. If successfully 
>installed, the iPhone
> malware collects the same data.
> 
> “Cross-platform attacks that target both iOS [iPhone] 
>and Android devices
> are rare, and indicate that this may be conducted by a 
>very large
> organisation or nation state,” Lacoon co-founder Ohad 
>Bobrov said in ablog
> post
> <https://www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/>.
> “The fact that this attack is being used against 
>protesters and is being
> executed by Chinese-speaking attackers suggests it’s 
>first iOS trojan
> linked to Chinese government cyber activity.”
> 
> The US-based Electronic Frontier Foundation noted the 
>likelihood of anyone
> involved in the Hong Kong protests getting infected was 
>not high, given iOS
> devices had to be jailbroken and Android users still had 
>to be tricked into
> downloading the malicious software, which was not on the 
>official Google
> Play market and was not spreading on its own.
> 
> The EFF also said that just because the iOS and Android 
>malware are run
> from the same servers does not mean they are both are 
>aimed at Hong Kong
> protesters.
> 
> Claudio Guarnieri, a security expert now working to help 
>activists across
> the globe, said over Twitter the iOS malware didn’t seem 
>unique and was
> certainly not advanced as Lacoon had suggested, nor was 
>there any evidence
> it was hitting Hong Kong protesters.
> 
> But onlookers are still concerned about the range of 
>malware targeting
> activists over different platforms. Security firm 
>Kaspersky Lab confirmed
> it had also seen various examples of malicious apps for 
>iOS and Android, as
> well as spyware samples for other platforms, related to 
>the Hong Kong
> protests.
> 
> “Since nearly every part of our lives now has a digital 
>aspect to it, it’s
> no surprise, in a situation like this, to discover that 
>there are those who
> wish to steal information from those involved. It is not 
>the first nor the
> last attack of this kind. We previously observed both 
>targeted and
> cybercriminal attacks against mobile users. This is 
>unlikely to stop
> anytime soon, on the contrary, we are witnessing a 
>steady growth of mobile
> malware,” said David Emm, principal security researcher 
>at Kaspersky Lab.
> 
> Guarnieri told the Guardian attacks over mobile on 
>activists “have been
> happening for a while already and certainly won’t stop”.
> 
> “By experience I see many activists putting an inherent 
>trust in their
> phones while growing a distrust in their computers, and 
>that leads
> sometimes to irresponsible use of both those 
>technologies.”
> 
> In June, so-called “lawful interception” technology was 
>seen posing as a
> genuine Android news app, which appeared to be targeting 
>people linked to
> political protest in eastern Saudi Arabia
> <http://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/>.
> Analyses of government-grade iOS malware date back to at 
>least 2012.
> Glenn McKnight
> mcknight.glenn at gmail.com
> skype  gmcknight
> twitter gmcknight
> .

More information about the Chapter-delegates mailing list