Researchers unearth Xsser mRAT, Chinese iOS spyware

Researchers looking into the mobile malware attack directed against Hong Kong protesters using Android devices have discovered that the attackers can also target iOS device owners – if the device is jailbroken.

The Android malware was delivered via mobile spam messages urging interested parties to download an app supposedly designed by the Code4HK community and which seemingly facilitates the coordination of Occupy Central.

The fake app is a actually a mobile RAT, which can extract almost every piece of information from the infected device (address book, SMS messages, emails, device ID, geolocation data, call logs, etc.). It can also download additional malware, delete files from the device, record audio, call a number, and so on.

“When the user first opens the app, a dialog box will promp the user to update the app with the text: ‘Application updates, please click to install’. If the user agrees, the app is updated and the espionage capabilities are activated, otherwise the application closes,” explained Lacoon CTO Ohad Bobrov.

Deeper investigation revealed that the C&C server hosting the application has a log-in in simplified Chinese characters typically used in the Chinese mainland. Also, that the server contains a Cydia repository for an iOS mobile RAT, which they dubbed Xsser.

“Lacoon hasn’t uncovered information regarding the method or vector of attack,” says Bobrov. “The iOS device needs to be jailbroken in order to be infected.”

The malware initially send information about the device (OS version, MAC address, device IMSI and IMEI, phone number) to the C&C server. It is then ready to receive instruction on what to do and to be regularly updated.

As the aforementioned Android spyware, this iOS RAT can also collect much information, including the address book, SMS messages, call logs, location data, pictures, the archive file of Tencent (a popular Chinese messaging app), and passwords and other authentication information in the iOS keychains used by device accounts (AppleID, mail accounts and more).

“Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity,” Bobrov pointed out.

“The Xsser mRAT is itself significant because while there have been other iOS trojans found previously, this is the first and most advanced, fully operational Chinese iOS trojan found to date. Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess. It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments.”

Don't miss