Malware-based espionage targeting political activists and other opposition is nothing new, especially when it comes to opponents of the Chinese government. But there have been few attempts at hacking activists more widespread and sophisticated than the current wave of spyware targeting the mobile devices of members of Hong Kong’s “Umbrella Revolution.”

Over the past few days, activists and protesters in Hong Kong have been targeted by mobile device malware that gives an attacker the ability to monitor their communications. What’s unusual about the malware, which has been spread through mobile message “phishing “ attacks, is that the attacks have targeted and successfully infected both Android and iOS devices.

The sophistication of the malware has led experts to believe that it was developed and deployed by the Chinese government. But Chinese-speaking hackers have a long history of using this sort of malware, referred to as remote access Trojans (RATs), as have other hackers around the world for a variety of criminal activities aside from espionage. It’s not clear whether this is an actual state-funded attack on Chinese citizens in Hong Kong or merely hackers taking advantage of a huge social engineering opportunity to spread their malware. But whoever is behind it is well-funded and sophisticated.

I smell a RAT

The personal computer version of RATs, also known as “remote administration tools,” have had their recent moment in mainstream media thanks to the case of Miss Teen USA Cassidy Wolf. Wolf revealed earlier this year that she had been the victim of a RAT-based “sextortion” plot —someone managed to use a RAT to take control of her computer’s webcam and take pictures of her in her room. And as Ars reported last year, there’s a community of “ratters” who trade in pictures and video collected from the webcams of their “slaves.”

But RATs have been used against dissidents and activists by hackers from China as well. Starting in June 2008, researchers from the University of Toronto’s Infowar Monitor Project began an investigation of allegations of hacking by the Chinese government against the expatriate Tibetan community. They discovered that the Private Office of the Dalai Lama, the Tibetan Government-in-Exile, and a number of Tibetan nongovernmental organizations in India, Europe, and North America had been targeted by a Trojan called Gh0st RAT—a remote control Trojan operated from the network of a commercial DSL Internet provider in Hainan, China.

By tracking Gh0st RAT traffic, the University of Toronto team was able to trace additional compromised systems in 103 countries—nearly 30 percent of which were located on “high value” networks associated with international diplomacy—including other nations’ foreign ministries and embassies and NATO headquarters. But it’s not clear that the network’s intent was to specifically target its victims for government-sponsored espionage, or whether the social engineering approach used to spread the Trojan just happened to be one that resonated with diplomatic targets. Gh0st RAT was already in circulation among other hackers before it was modified for use by the Hainan-based attack. As the University of Toronto report’s authors put it:

Cyberspace has empowered individuals and small groups of non-state actors to do many things, including executing sophisticated computer network operations that were previously only the domain of state intelligence agencies. We have entered the era of do-it-yourself (DIY) signals intelligence.

In other words, just as Russian cybercriminals have conducted their own attacks against the institutions of governments at odds with their nation (in Estonia and Georgia, for example), the Gh0st RAT surveillance may have been conducted by a Chinese “cyber-militia.” It may be that the RAT malware was spread by one or more private Chinese citizens—acting either out of patriotism or with the gentle guidance of Communist Party officials.

The spy in your pocket

While RATs on PCs have given just about anyone with the desire and a modicum of social engineering skills the ability to collect a great deal of data, smart mobile devices have created an even bigger opportunity for malware. The emergence of mobile-focused RAT software has only furthered the capabilities of individuals to roll their own DIY NSA.

Mobile devices have become an increasingly attractive platform for RATs as they’ve proliferated. In April of 2013, Lacoon Mobile Security published research it conducted in coordination with a number of international mobile providers, sampling traffic data from 2 million customers’ devices, and found that 1 in 1,000 customers had a mobile device that had a mobile RAT (mRAT) installed on them.

At the time, researchers were surprised that 1 in 2,000 iOS devices had been infected with mRATs—which would have required those devices to have been jailbroken by their owners (or by someone else who had physical access to the devices).

Since then, mRATs have spread far and wide, particularly in the Android world, where some have even briefly snuck into the Google Play store—one mRAT made it onto Google’s store disguised as a legitimate application called Parental Control. That particular Trojan was downloaded fewer than 50 times, Lookout Mobile security researcher Marc Rogers told Ars’ Dan Goodin in March.

But you don’t have to infiltrate the Google app store to spread an mRAT far and wide, as events in Hong Kong have shown. Over the past weeks, an mRAT has been spread through essentially the same mechanism that Gh0st RAT was spread—social engineering.

Greetings, citizen

Lacoon reported that the malicious Android application carrying the Hong Kong mRAT began spreading last week, distributed via a link in WhatsApp text messages sent to Hong Kong activists. The message was crafted to look like it was coming from a support network for the Occupy Central movement.

The message linked to code which the author claimed was written by the activist developer group Code4HK in support of the protests. After installation—during which the app requests a wide range of permissions—the masquerading malware pops up a dialog box that says, “Application updates, please click to install.” If and only if the user gives the app permission for this final prompt, it receives another set of code updates and begins surveilling the user’s activities.

The Android mRAT is already widely distributed in Hong Kong, according to Lacoon’s Chief Technology Officer Ohad Bobrov. But this weekend, the Lacoon team discovered a new variant targeting iOS devices—what the researchers claim is the first advanced Chinese iOS Trojan. It is dubbed “Xsser mRAT” by Lacoon’s researchers because it runs from a server on xsser.com, the same command and control (CnC) domain used by a Chinese version of the Xsser cross-site scripting penetration tool.

Like other iOS RATs, this malware requires that the device be jailbroken in order for it to be installed—it’s not something that users download from the Apple app store. But that step may have been aided by the prevalence of public jailbreaks for iOS devices in China to gain access to local applications not published through Apple’s iTunes store, thanks largely to Pangu. Xsser mRAT installs through Cydia, an alternative to the iTunes store for jailbroken devices, as a Debian .deb package file.

Both the Android and iOS mRATs can pull huge swaths of data from the infected devices: hardware and operating system information, address books, call logs, SMS messages, location data, and photos, for starters. The Android version can also record audio, place calls, execute other commands on the device, and download files from a URL or directly from the remote attacker’s computer.

The iOS mRAT, according to Lacoon researchers, can also gain access to passwords and usernames stored in the iOS keychain and the local archives for Tencent’s Mobile QQ, a popular Chinese messaging application. The breakdown of Xsser mRAT also found a number of unimplemented commands in the code, indicating that the Trojan is still under development, and additional features may be pushed out to infected devices. Included among the referenced, but unimplemented, commands were features already in the Android mRAT—sending SMS messages, placing phone calls, running local commands, and uploading files to the device.

Identifying exactly who’s behind these mRAT Trojans isn’t easy. The servers for their CnC network are virtual Windows servers hosted on a Chinese virtual private server (VPS) service, the identity of which is hidden behind a “whois protection service” operated by Jiangsu Bangning Science and Technology Co. Ltd—a Chinese ISP and domain registration services company. Similar tactics have been used by other cybercriminals based out of China—and other countries—in the past.

But Lacoon’s Bobrov believes that if the people behind these mRATs aren’t part of the Chinese intelligence infrastructure themselves, they’re certainly getting paid by them. In his blog post on the Android mRAT, Bobrov wrote, “The identity of the victims, as well as data from the CnC (Command and Control) servers lead us to believe that the Chinese Government are behind the attack. This is also a very advanced mRAT that is undoubtedly being backed by a nation state."