Warwick Ashford
China is suspected of using a fake app for Android and iOS smartphones to spy on pro-democracy
Occupy Central
protestors in Hong Kong.
The spyware is being spread among protestors through messages on
WhatsApp that contain a link to the fake app that
purports
to be a co-ordination app for Occupy Central, reports the
New York Times.
The messages claim the app was developed by the pro-democracy community of developers Code4HK,
but the group and the Occupy Central movement have denied any links to the app.
The fake app is being used to infect protestors’ phones with spyware dubbed Xsser mRAT by
Israeli firm Lacoon Mobile Security.
According to the firm’s researchers, the malware is being run from the same server as
malware-targeting
Android phones that was spotted last week.
Although it is impossible to be certain about the origin of the fake app, indications are that
it has the backing of the Chinese authorities, said Michael Shaulov, Lacoon’s chief executive.
Given the “targets of the operation, where the servers are based and the sophistication of the
attack, it doesn’t leave much room to the imagination,” he said.
Lacoon’s researchers found that, once the fake app is downloaded, it can access personal data
such as passwords and bank information, spy on phone calls and messages and track the physical
location of the infected smartphone.
The malicious app is unusual because of its ability to infect phones running either Google
Android operating system or Apple’s iOS, which is usually more secure.
However, researchers said iPhone users should be safe if they have not bypassed Apple’s security
system to “jailbreak” their phones to install apps – which have not been approved by Apple.
“This is the first time that we have seen such operationally sophisticated iOS malware
operational, which is actually developed by a Chinese-speaking entity,” said Shaulov.
Lacoon co-founder, Ohad Bobrov, said in a
blog post
that cross-platform attacks that target both iOS and Android devices are rare.
He said the cross-platform capability of the malware is one indication that the attack is
probably supported by a large organisation or nation state.
“The fact that this attack is being used against protesters and is being executed by
Chinese-speaking attackers suggests it’s [the] first iOS trojan linked to Chinese government cyber
activity,” he wrote.
The pro-democracy movement was targeted by cyber attacks in June 2014 when online voting in an
unofficial referendum on Hong Kong’s political future was disrupted by distributed denial of
service (DDoS) attacks.
US security experts believe the Chinese-backed cyber attacks to monitor and potentially
discredit protest leaders will increase in the coming weeks.
They say the tactics used against Occupy Central are similar to those used by China against
minority groups from Tibet and Xinjiang provinces.
Meanwhile, in mainland China, the Facebook-owned Instagram service has been widely inaccessible
since the weekend, according to several internet monitors.
The move is seen as an attempt by Chinese authorities to limit the flow of images of the Hong
Kong protests because of concerns the protests may spread.
The rate of deletions of posts on China’s version of Twitter and Weibo has also soared in recent
days, according to reports.
But Claudio Guarnieri, a security expert who helps activists around the world, told the
Guardian that the
iOS
malware did not seem unique, it was not advanced as Lacoon has suggested, and there is no
evidence that it is hitting Hong Kong protesters.
But security firm Kaspersky Lab said it has seen various examples of malicious apps for iOS and
Android, as well as spyware samples for other platforms that are related to the Hong Kong
protests.
Guarnieri told the
Guardian that attacks on activists using mobile phones “have been
happening for a while already and certainly won’t stop”.
“By experience I see many activists putting an inherent trust in their phones while growing a
distrust in their computers, and that leads sometimes to irresponsible use of both those
technologies,” he said.
State-sponsored malware is a growing concern, with 44% of security professionals polled at
Black Hat USA 2014 saying they believe the US is losing
the battle against state-sponsored cyber attacks.
More than half (58%) said they think their network may have already been breached by a foreign
state-sponsored attack, according to the
survey by privilege management
firm Lieberman Software.
“The majority of organisations are prepared for amateur hackers and low-level criminals, but are
completely ill-equipped to deal with today’s advanced nation-state foes,” said Philip Lieberman,
president of Lieberman Software.
“The most dangerous threats are highly personalised attacks designed for one-time use against
specific individuals.
“Many state-sponsored attackers can now create perfect email attacks that insert remote control
software on to corporate networks.
“Most corporations and government agencies would benefit from better security training,
documented security processes, and enterprise-level products that can manage and secure powerful
privileged accounts that grant access to critical IT assets,” he said.