A malware program that targets Hong Kong activists using Apple devices has trademarks of being developed by a nation-state, possibly China, according to a security company.
Lacoon Mobile Security of San Francisco wrote on its blog on Tuesday that the malware, called Xsser mRAT, is the “first and most advanced, fully operational Chinese iOS trojan found to date.”
The Apple malware is related to a malicious Android one found last month that advertised itself as a way for activists to coordinate protests, Lacoon wrote.
Hong Kong has seen massive demonstrations after China moved to only allow candidates it approves to run in the election of the territory’s chief executive in 2017. Activists charge China reneged on a promise of an election without restrictions.
It’s not usual to see malware emerge that has been customized to capitalize on current events, and security experts have long documented programs suspected to have been created to monitor dissidents and activists.
Xsser mRAT can steal SMS messages, call logs, location data, photos, address books, data from the Chinese messaging application Tencent and passwords from the iOS keychain, Lacoon wrote.
“Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess,” the company wrote. “It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies or even entire governments.”
However, there is a saving grace: only iOS devices that have been jailbroken, or modified to run unauthorized apps, would be able to run the malware, according to Lacoon. Apple tightly vets the applications on its App Store and advises that people do not jailbreak their devices.
Lacoon wrote that the Android version was making the rounds through links distributed on the messaging application WhatsApp. The messages came from an unknown phone number, reading: “Check out this Android app designed by Code4HK, group of activist coders, for the coordination of Occupy Central!”
Code4HK told the South China Morning Post newspaper that it had nothing to do with the application, according to a Sept. 17 story.
Lacoon found the same server used to control the Android malware also hosted the iOS malware. Such targeting of both Android and iOS devices is rare, the company wrote, which may “indicate that this may be conducted by a very large organization or nation state.”