China targets Hong Kong protestors with Android and iOS spyware

Warwick Ashford  
China is suspected of using a fake app for Android and iOS smartphones to spy on pro-democracy Occupy Central protestors in Hong Kong.
The spyware is being spread among protestors through messages on WhatsApp that contain a link to the fake app that purports to be a co-ordination app for Occupy Central, reports the New York Times.
Getty Images/iStockphoto
The messages claim the app was developed by the pro-democracy community of developers Code4HK, but the group and the Occupy Central movement have denied any links to the app.
The fake app is being used to infect protestors’ phones with spyware dubbed Xsser mRAT by Israeli firm Lacoon Mobile Security.
According to the firm’s researchers, the malware is being run from the same server as malware-targeting Android phones that was spotted last week.
Although it is impossible to be certain about the origin of the fake app, indications are that it has the backing of the Chinese authorities, said Michael Shaulov, Lacoon’s chief executive.
Given the “targets of the operation, where the servers are based and the sophistication of the attack, it doesn’t leave much room to the imagination,” he said.
Lacoon’s researchers found that, once the fake app is downloaded, it can access personal data such as passwords and bank information, spy on phone calls and messages and track the physical location of the infected smartphone.
The malicious app is unusual because of its ability to infect phones running either Google Android operating system or Apple’s iOS, which is usually more secure.
However, researchers said iPhone users should be safe if they have not bypassed Apple’s security system to “jailbreak” their phones to install apps – which have not been approved by Apple. “This is the first time that we have seen such operationally sophisticated iOS malware operational, which is actually developed by a Chinese-speaking entity,” said Shaulov.
Lacoon co-founder, Ohad Bobrov, said in a blog post that cross-platform attacks that target both iOS and Android devices are rare.
He said the cross-platform capability of the malware is one indication that the attack is probably supported by a large organisation or nation state.
“The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s [the] first iOS trojan linked to Chinese government cyber activity,” he wrote.
The pro-democracy movement was targeted by cyber attacks in June 2014 when online voting in an unofficial referendum on Hong Kong’s political future was disrupted by distributed denial of service (DDoS) attacks.
US security experts believe the Chinese-backed cyber attacks to monitor and potentially discredit protest leaders will increase in the coming weeks.
They say the tactics used against Occupy Central are similar to those used by China against minority groups from Tibet and Xinjiang provinces.
Meanwhile, in mainland China, the Facebook-owned Instagram service has been widely inaccessible since the weekend, according to several internet monitors.
The move is seen as an attempt by Chinese authorities to limit the flow of images of the Hong Kong protests because of concerns the protests may spread.
The rate of deletions of posts on China’s version of Twitter and Weibo has also soared in recent days, according to reports.
But Claudio Guarnieri, a security expert who helps activists around the world, told the Guardian that the iOS malware did not seem unique, it was not advanced as Lacoon has suggested, and there is no evidence that it is hitting Hong Kong protesters.
But security firm Kaspersky Lab said it has seen various examples of malicious apps for iOS and Android, as well as spyware samples for other platforms that are related to the Hong Kong protests.
Guarnieri told the Guardian that attacks on activists using mobile phones “have been happening for a while already and certainly won’t stop”.
“By experience I see many activists putting an inherent trust in their phones while growing a distrust in their computers, and that leads sometimes to irresponsible use of both those technologies,” he said.
State-sponsored malware is a growing concern, with 44% of security professionals polled at Black Hat USA 2014 saying they believe the US is losing the battle against state-sponsored cyber attacks.
More than half (58%) said they think their network may have already been breached by a foreign state-sponsored attack, according to the survey by privilege management firm Lieberman Software.
“The majority of organisations are prepared for amateur hackers and low-level criminals, but are completely ill-equipped to deal with today’s advanced nation-state foes,” said Philip Lieberman, president of Lieberman Software.
“The most dangerous threats are highly personalised attacks designed for one-time use against specific individuals.
“Many state-sponsored attackers can now create perfect email attacks that insert remote control software on to corporate networks.
“Most corporations and government agencies would benefit from better security training, documented security processes, and enterprise-level products that can manage and secure powerful privileged accounts that grant access to critical IT assets,” he said.