Both iPhone and Android users among Hong Kong demonstrations targeted by fake apps that may come from ‘nation-state’ attackers, says Lacoon Mobile Security

Protesters in Hong Kong calling for democracy reforms are being targeted by spyware that can affect both iPhones and smartphones running Google’s Android software, a security company claims.

However the iPhone users among the thousands of protesters should be safe if they have not bypassed Apple’s security system to “jailbreak” their phones to install unapproved apps.



The discovery marks the second time that the demonstrators’ phones appear to have been targeted since the protests began last week.

Dubbed Xsser mRAT by Israeli firm Lacoon Mobile Security, the malware is being run from the same server as a malicious program targeting Android phones spotted last week. That masqueraded as an app for the Occupy Central pro-democracy movement and was spread via messages on the cross-platform Whatsapp messaging system which urged readers to “Check out this Android app designed by Code4HK for the coordination of Occupy Central!”. Protest organisers said none of its members had developed or distributed the application.

Lacoon said the Chinese government, which has been accused of various digital attacks on activists in recent years, was likely coordinating the attacks – though there is no proof the iPhone malware has infected any of the protesters’ phones. Only those which have been “jailbroken” by the owner to circumvent Apple’s normal security against unauthorised apps are vulnerable. However some users in Asia have jailbroken their iPhones in order to install local apps that are not approved for Apple’s App Store, or run special software. The malware does not itself appear to be able to jailbreak the iPhones.

The version targeting Android smartphones can spy on the user because it masquerades as an app for organising the protest - and requests access to the owner’s phone address book, web browsing history, location, text messages, and phone call log. It can also record audio. Those details can then be sent to a web server in South Korea which appears to be controlled by a source in mainland China. If successfully installed, the iPhone malware collects the same data.

“Cross-platform attacks that target both iOS [iPhone] and Android devices are rare, and indicate that this may be conducted by a very large organisation or nation state,” Lacoon co-founder Ohad Bobrov said in a blog post. “The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity.”

The US-based Electronic Frontier Foundation noted the likelihood of anyone involved in the Hong Kong protests getting infected was not high, given iOS devices had to be jailbroken and Android users still had to be tricked into downloading the malicious software, which was not on the official Google Play market and was not spreading on its own.



The EFF also said that just because the iOS and Android malware are run from the same servers does not mean they are both are aimed at Hong Kong protesters.

Claudio Guarnieri, a security expert now working to help activists across the globe, said over Twitter the iOS malware didn’t seem unique and was certainly not advanced as Lacoon had suggested, nor was there any evidence it was hitting Hong Kong protesters.

But onlookers are still concerned about the range of malware targeting activists over different platforms. Security firm Kaspersky Lab confirmed it had also seen various examples of malicious apps for iOS and Android, as well as spyware samples for other platforms, related to the Hong Kong protests.



“Since nearly every part of our lives now has a digital aspect to it, it’s no surprise, in a situation like this, to discover that there are those who wish to steal information from those involved. It is not the first nor the last attack of this kind. We previously observed both targeted and cybercriminal attacks against mobile users. This is unlikely to stop anytime soon, on the contrary, we are witnessing a steady growth of mobile malware,” said David Emm, principal security researcher at Kaspersky Lab.



Guarnieri told the Guardian attacks over mobile on activists “have been happening for a while already and certainly won’t stop”.



“By experience I see many activists putting an inherent trust in their phones while growing a distrust in their computers, and that leads sometimes to irresponsible use of both those technologies.”



In June, so-called “lawful interception” technology was seen posing as a genuine Android news app, which appeared to be targeting people linked to political protest in eastern Saudi Arabia. Analyses of government-grade iOS malware date back to at least 2012.

