[Chapter-delegates] HK Protesters Targeted with Spyware

[Winthrop Yu]

   +1 Chester!

On 10/2/2014 2:58 PM, chester at soong.net wrote:
> Dear All,
>
> I joined the protest for 3 days and some of my friends in the IT profession were
> there on the most violent day and being pepper-sprayed, hit, and tear-gased!
>
> We did worry about that but the Chief Executive of HK can, under his authority,
> to shut down and intercept all telecommunications on an executive order. So most
> of us have turned to Firechat now, and we almost held a talk with Micha Benoliel
> as he happened to be in HK. Now, it is not about getting your phone hacked or
> communications sniffed anymore. It has gone back to traditional government
> suppressing of protests with people infiltrating into the largely peaceful
> protests and stir up unrests! Honestly, I worry about how this will end. This
> has gone beyond the Internet, but it has helped us so far in spreading the truth
> and unveiling the issues.
>
> Regards,
>
>
> Chester
>
> On Wed, 1 Oct 2014 20:17:16 -0400
>   Glenn McKnight <mcknight.glenn at gmail.com> wrote:
>> Protesters in Hong Kong calling for democracy reforms are being targeted by
>> spyware that can affect both iPhones and smartphones running Google’s
>> Android software, a security company claims.
>>
>> However the iPhone users among the thousands of protesters should be safe
>> if they have not bypassed Apple’s security system to “jailbreak” their
>> phones to install unapproved apps.
>>
>> The discovery marks the second time that the demonstrators’ phones appear
>> to have been targeted since the protests began last week.
>>
>> Dubbed Xsser mRAT by Israeli firm Lacoon Mobile Security, the malware is
>> being run from the same server as a malicious program targeting Android
>> phones spotted last week
>> <http://www.scmp.com/news/hong-kong/article/1594667/fake-occupy-central-app-targets-activists-smartphones>.
>>
>> That masqueraded as an app for the Occupy Central pro-democracy movement
>> and was spread via messages on the cross-platform Whatsapp messaging system
>> which urged readers to “Check out this Android app designed by Code4HK for
>> the coordination of Occupy Central!”. Protest organisers said none of its
>> members had developed or distributed the application.
>>
>> Lacoon said the Chinese government, which has been accused of various
>> digital attacks on activists in recent years, was likely coordinating the
>> attacks – though there is no proof the iPhone malware has infected any of
>> the protesters’ phones. Only those which have been “jailbroken” by the
>> owner to circumvent Apple’s normal security against unauthorised apps are
>> vulnerable. However some users in Asia have jailbroken their iPhones in
>> order to install local apps that are not approved for Apple’s App Store, or
>> run special software. The malware does not itself appear to be able to
>> jailbreak the iPhones.
>>
>> The version targeting Android smartphones can spy on the user because it
>> masquerades as an app for organising the protest - and requests access to
>> the owner’s phone address book, web browsing history, location, text
>> messages, and phone call log. It can also record audio. Those details can
>> then be sent to a web server in South Korea which appears to be controlled
>> by a source in mainland China. If successfully installed, the iPhone
>> malware collects the same data.
>>
>> “Cross-platform attacks that target both iOS [iPhone] and Android devices
>> are rare, and indicate that this may be conducted by a very large
>> organisation or nation state,” Lacoon co-founder Ohad Bobrov said in ablog
>> post
>> <https://www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/>.
>> “The fact that this attack is being used against protesters and is being
>> executed by Chinese-speaking attackers suggests it’s first iOS trojan
>> linked to Chinese government cyber activity.”
>>
>> The US-based Electronic Frontier Foundation noted the likelihood of anyone
>> involved in the Hong Kong protests getting infected was not high, given iOS
>> devices had to be jailbroken and Android users still had to be tricked into
>> downloading the malicious software, which was not on the official Google
>> Play market and was not spreading on its own.
>>
>> The EFF also said that just because the iOS and Android malware are run
>> from the same servers does not mean they are both are aimed at Hong Kong
>> protesters.
>>
>> Claudio Guarnieri, a security expert now working to help activists across
>> the globe, said over Twitter the iOS malware didn’t seem unique and was
>> certainly not advanced as Lacoon had suggested, nor was there any evidence
>> it was hitting Hong Kong protesters.
>>
>> But onlookers are still concerned about the range of malware targeting
>> activists over different platforms. Security firm Kaspersky Lab confirmed
>> it had also seen various examples of malicious apps for iOS and Android, as
>> well as spyware samples for other platforms, related to the Hong Kong
>> protests.
>>
>> “Since nearly every part of our lives now has a digital aspect to it, it’s
>> no surprise, in a situation like this, to discover that there are those who
>> wish to steal information from those involved. It is not the first nor the
>> last attack of this kind. We previously observed both targeted and
>> cybercriminal attacks against mobile users. This is unlikely to stop
>> anytime soon, on the contrary, we are witnessing a steady growth of mobile
>> malware,” said David Emm, principal security researcher at Kaspersky Lab.
>>
>> Guarnieri told the Guardian attacks over mobile on activists “have been
>> happening for a while already and certainly won’t stop”.
>>
>> “By experience I see many activists putting an inherent trust in their
>> phones while growing a distrust in their computers, and that leads
>> sometimes to irresponsible use of both those technologies.”
>>
>> In June, so-called “lawful interception” technology was seen posing as a
>> genuine Android news app, which appeared to be targeting people linked to
>> political protest in eastern Saudi Arabia
>> <http://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/>.
>>
>> Analyses of government-grade iOS malware date back to at least 2012.
>> Glenn McKnight
>> mcknight.glenn at gmail.com
>> skype  gmcknight
>> twitter gmcknight
>> .
>
> _______________________________________________
> As an Internet Society Chapter Officer you are automatically subscribed
> to this list, which is regularly synchronized with the Internet Society
> Chapter Portal (AMS): https://portal.isoc.org