New iOS Trojan Focusing on Hong Kong Protesters with Jailbroken Devices

By | October 1, 2014

It seems that we have a new trojan for iOS: this trojan attacks jailbroken iPhones, iPad and iPod touch devices, and is believed to be targeting the pro-democracy protestors in Hong Kong.

The malicious software was discovered by Lacoon and has been dubbed Xsser mRAT. It uses social engineering in order to steal data from jailbroken devices by tricking users to tap on an install link contained within phishing messages from unknown sources.

It’s been created by Chinese hackers, and it’s effective in extracting a huge range of personal information, including SMS messages, your iOS address book, GSM identities, Call logs, your rough geographical location, pictures on your device, in addition to passwords and other relevant data in the iOS key-chains used by your mail accounts, Apple ID, and other services.

This nasty spyware also draws additional data from the Cloud, like your MAC address, your iOS version, device version and phone number, and IMEI and IMSI. Once this trojan is installed on your device it runs immediately following a reboot, and updates itself automatically.

cydia repository page

The actual attack vector is unknown, however Lacoon determined that this malicious software uses the Cydia store together with a special server which contains a Cydia repository for the mRAT debian package for Android and iOS devices.

The article states that with Cydia installed the repository must be added and then the package can be installed. The package installs an iOS ‘launched’ service to ensure that the trojan starts the moment your device has been rebooted.

It seems that these attackers have gone to a lot of trouble to protect their identity by accessing a Whois protection service on malicious servers. Apparently the servers themselves are connected to a VPS service and are accessible by RDP connections.

How To Protect Agains Xsser mRAT?

If you haven’t jailbroken your device then you’re quite safe. However, if you have jailbroken your device you must be extremely cautious about accepting links from unknown sources via iMessage, WhatsApp, and other instant messaging platforms.

In Hong Kong on Thursday the Xsser mRAT was used against the Occupy Central protesters, who received a WhatsApp link asking them to install this trojan – it was disguised as an app for coordinating protesters.

Because Xsser mRAT is a cross-platform trojan affecting both Android and iOS devices, Lacoon is convinced this is the first iOS trojan linked to Chinese Government cyber activity.

Leave a Reply

Your email address will not be published. Required fields are marked *