[Chapter-delegates] HK Protesters Targeted with Spyware

[Kathy Brown]

Chester, thank you for this communication. You, all of our Chapter members and, especially the young people of Hong Kong have been close to our thoughts and worries. Please let us know how we can be of help. Your ISOC family is nearby. Kathy

> On Oct 2, 2014, at 2:58 AM, "chester at soong.net" <chester at soong.net> wrote:
> 
> Dear All,
> 
> I joined the protest for 3 days and some of my friends in the IT profession were there on the most violent day and being pepper-sprayed, hit, and tear-gased!
> 
> We did worry about that but the Chief Executive of HK can, under his authority, to shut down and intercept all telecommunications on an executive order. So most of us have turned to Firechat now, and we almost held a talk with Micha Benoliel as he happened to be in HK. Now, it is not about getting your phone hacked or communications sniffed anymore. It has gone back to traditional government suppressing of protests with people infiltrating into the largely peaceful protests and stir up unrests! Honestly, I worry about how this will end. This has gone beyond the Internet, but it has helped us so far in spreading the truth and unveiling the issues.
> 
> Regards,
> 
> 
> Chester
> 
> On Wed, 1 Oct 2014 20:17:16 -0400
> Glenn McKnight <mcknight.glenn at gmail.com> wrote:
>> Protesters in Hong Kong calling for democracy reforms are being targeted by
>> spyware that can affect both iPhones and smartphones running Google’s
>> Android software, a security company claims.
>> However the iPhone users among the thousands of protesters should be safe
>> if they have not bypassed Apple’s security system to “jailbreak” their
>> phones to install unapproved apps.
>> The discovery marks the second time that the demonstrators’ phones appear
>> to have been targeted since the protests began last week.
>> Dubbed Xsser mRAT by Israeli firm Lacoon Mobile Security, the malware is
>> being run from the same server as a malicious program targeting Android
>> phones spotted last week
>> <http://www.scmp.com/news/hong-kong/article/1594667/fake-occupy-central-app-targets-activists-smartphones>.
>> That masqueraded as an app for the Occupy Central pro-democracy movement
>> and was spread via messages on the cross-platform Whatsapp messaging system
>> which urged readers to “Check out this Android app designed by Code4HK for
>> the coordination of Occupy Central!”. Protest organisers said none of its
>> members had developed or distributed the application.
>> Lacoon said the Chinese government, which has been accused of various
>> digital attacks on activists in recent years, was likely coordinating the
>> attacks – though there is no proof the iPhone malware has infected any of
>> the protesters’ phones. Only those which have been “jailbroken” by the
>> owner to circumvent Apple’s normal security against unauthorised apps are
>> vulnerable. However some users in Asia have jailbroken their iPhones in
>> order to install local apps that are not approved for Apple’s App Store, or
>> run special software. The malware does not itself appear to be able to
>> jailbreak the iPhones.
>> The version targeting Android smartphones can spy on the user because it
>> masquerades as an app for organising the protest - and requests access to
>> the owner’s phone address book, web browsing history, location, text
>> messages, and phone call log. It can also record audio. Those details can
>> then be sent to a web server in South Korea which appears to be controlled
>> by a source in mainland China. If successfully installed, the iPhone
>> malware collects the same data.
>> “Cross-platform attacks that target both iOS [iPhone] and Android devices
>> are rare, and indicate that this may be conducted by a very large
>> organisation or nation state,” Lacoon co-founder Ohad Bobrov said in ablog
>> post
>> <https://www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/>.
>> “The fact that this attack is being used against protesters and is being
>> executed by Chinese-speaking attackers suggests it’s first iOS trojan
>> linked to Chinese government cyber activity.”
>> The US-based Electronic Frontier Foundation noted the likelihood of anyone
>> involved in the Hong Kong protests getting infected was not high, given iOS
>> devices had to be jailbroken and Android users still had to be tricked into
>> downloading the malicious software, which was not on the official Google
>> Play market and was not spreading on its own.
>> The EFF also said that just because the iOS and Android malware are run
>> from the same servers does not mean they are both are aimed at Hong Kong
>> protesters.
>> Claudio Guarnieri, a security expert now working to help activists across
>> the globe, said over Twitter the iOS malware didn’t seem unique and was
>> certainly not advanced as Lacoon had suggested, nor was there any evidence
>> it was hitting Hong Kong protesters.
>> But onlookers are still concerned about the range of malware targeting
>> activists over different platforms. Security firm Kaspersky Lab confirmed
>> it had also seen various examples of malicious apps for iOS and Android, as
>> well as spyware samples for other platforms, related to the Hong Kong
>> protests.
>> “Since nearly every part of our lives now has a digital aspect to it, it’s
>> no surprise, in a situation like this, to discover that there are those who
>> wish to steal information from those involved. It is not the first nor the
>> last attack of this kind. We previously observed both targeted and
>> cybercriminal attacks against mobile users. This is unlikely to stop
>> anytime soon, on the contrary, we are witnessing a steady growth of mobile
>> malware,” said David Emm, principal security researcher at Kaspersky Lab.
>> Guarnieri told the Guardian attacks over mobile on activists “have been
>> happening for a while already and certainly won’t stop”.
>> “By experience I see many activists putting an inherent trust in their
>> phones while growing a distrust in their computers, and that leads
>> sometimes to irresponsible use of both those technologies.”
>> In June, so-called “lawful interception” technology was seen posing as a
>> genuine Android news app, which appeared to be targeting people linked to
>> political protest in eastern Saudi Arabia
>> <http://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/>.
>> Analyses of government-grade iOS malware date back to at least 2012.
>> Glenn McKnight
>> mcknight.glenn at gmail.com
>> skype  gmcknight
>> twitter gmcknight
>> .
> 
> _______________________________________________
> As an Internet Society Chapter Officer you are automatically subscribed
> to this list, which is regularly synchronized with the Internet Society
> Chapter Portal (AMS): https://portal.isoc.org