Researchers Claim China Is Using Malware to Spy on Hong Kong Protesters
Image: AP Photo/Vincent Yu/Associated Press
Thousands of protesters continue to fill Hong Kong's streets with umbrellas and demands for democracy, much to the dismay of the Chinese government.
To prevent news of the movement from flowing into mainland China, authorities have blocked Instagram, censored social media posts and, allegedly, targeted Yahoo with an attack that would make the normally secure site vulnerable to snooping and censorship - a so-called 'man-in-the-middle attack.'
Now, researchers at Lacoon Mobile Security claim the Chinese government may be using malware targeted at iPhone users to spy on protesters. In a blog post published on Tuesday, Lacoon claimed to have uncovered 'advanced' iOS malware that could be targeting protesters in Hong Kong. Some experts, however, have quickly raised serious doubts about the claims.
Lacoon said that the malware, named 'Xsser mRAT,' was found on the same server hosting another piece of malware, a fake Occupy Cental app, which was designed to siphon off data from whoever installed it. That Android malware was allegedly sent out to Hong Kong protesters via WhatsApp two weeks ago.
Lacoon claimed the two attacks are related and part of the same 'cross-platform' campaign.
But in Lacoon's report, there's no evidence that this malware has actually been used against Hong Kong protesters. And given that the malware needs a jailbroken iPhone to be installed, it's unlikely that even if it were deployed, it would affect many people, according to Jonathan Zdziarski, a forensic expert and security researcher.
Other independent researchers, like Claudio Guarnieri, who investigates malware attacks for the University of Toronto's Citizen Lab, are also skeptical of claims made by Lacoon.
No, there is no proof that the iOS backdoor is actually being used against protesters in #HK, that's complete misinformation.
- Claudio (@botherder) October 1, 2014
'There is no proof that this malware was ever distributed to anyone,' Guarnieri told Mashable. 'There's no proof that it was used by the Chinese government.'
Even Lacoon's researchers aren't sure the malware was ever used, and admit the only evidence indicating it might have been is that it was hosted on the same server where they found the suspicious Android malware.
'Since we have not witnessed an actual infection, anything from there on is speculation based on what we saw on the servers,' Daniel Brodie, Senior Security Researcher at Lacoon, told Mashable.
Lacoon also seems to have erroneously claimed that this iOS malware was particularly unprecedented. Lacoon's initial blog post was titled 'Lacoon Discovers Xsser mRAT, the First Advanced iOS Trojan.' Following online criticism, the company changed the title to specify that it's the 'first advanced Chinese trojan.'
@headhntr @botherder @ochsff Sirs, you mean old and new side by side? :P http://ift.tt/1E1aumC
- [ Gunther ] (@Gunther_AR) October 1, 2014
As some researchers quickly pointed out, this not the first iOS trojan ever found. Two years ago, for example, researchers at the Citizen Lab uncovered and analyzed several mobile trojans created by the surveillance tech company FinFisher - one of those was made to target iOS devices.
Hey, @LacoonSecurity, how can you say Xsser mRAT is the first advanced iOS Trojan? Did you forget about Dre? https://t.co/lmTUFEkzQ1
- Morgan Mayhem (@headhntr) October 1, 2014
Other surveillance tech companies, like Hacking Team, also have created and sold malware to target iOS devices. Other malware samples targeted at iOS have also been found.
It doesn't even appear that this is the first Chinese malware targeted at iOS users. Earlier this year, Reddit users uncovered a type of iOS malware dubbed Unfold Baby Panda which seemed to have Chinese origins.
'Claims of this being the first iOS trojan are greatly exaggerated,' Morgan Marquis-Boire, another Citizen Lab security researcher, told Mashable.
Have something to add to this story? Share it in the comments.