There is an iOS spyware app attacking Chinese protesters' smartphones and devices and the malicious developers are likely being funded by a large nation state, claims a mobile security firm.
Lacoon Mobile Security says it has discovered a mobile Remote Access Trojan (mRAT) in the iOS version of software many protesters have been using to coordinate Occupy Central rallies in Hong Kong. The security firm has identified the spyware as Xsser mRAT, which is said to be related to similar malicious code that has been deployed in Android apps.
The spyware was discovered when a link to the infected app was sent from an anonymous user via WhatsApp.
"Cross-platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state," states Lacoon. "The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it's [the] first iOS Trojan linked to Chinese government cyberactivity."
Lacoon says Xsser mRAT represents a shift by government-backed cybercriminals, moving from desktop platforms to target mobile devices. The nature of mobile devices brings its own set of vulnerabilities, says Lacoon.
"The risks extend well beyond the personal user to any enterprise with employees using mobile devices -- company-provided or employee-liable -- for business purposes. When infected, Xsser mRAT exposes virtually any information on iOS devices including SMS, email, and instant messages, and can also reveal location data, usernames and passwords, call logs and contact information."
While Lacoon is still investigating the full capabilities of Xsser mRAT, the security firm says Apple mobile devices have to be jailbroken to fall prey to the spyware. The remote access tool has the ability to collect address book, text messages, call logs, location data, pictures, Apple IDs and passwords.
While there has been other malicious software targeting iOS devices, Lacoon says the complexity of Xsser mRAT makes the spyware notable and especially worrisome.
"Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone's guess," says Lacoon. "It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments."