Mobile security expert Lacoon discovered a new malware that affects both iOS and Android called Xsser mRAT, which is the “First Advanced Chinese iOS Trojan.”
According to Lacoon:
The Lacoon Mobile Security research team has discovered a new mRAT it calls “Xsser mRAT.” The Xsser mRAT specifically targets iOS devices, and is related to Android spyware already distributed broadly in Hong Kong.
A link to the Android spyware, disguised as an app to help coordinateOccupy Central protests in Hong Kong, was sent as an anonymous message to Whatsapp users there on Thursday. In its investigation of that spyware, Lacoon uncovered the Xsser mRAT hosted on the same Command and Control (CnC) domain with the project being named Xsser. Though called Xsser, this is not related to an XSS attack.
Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity.
The Xsser mRAT is itself significant because while there have been other iOS trojans found previously, this is the first and most advanced, fully operational Chinese iOS trojan found to date. Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess. It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments.
This new malware affects both jailbroken iOS and Android devices. What does it do? It can steal data from your device such as SMS, photos, call logs, and passwords.
How do you avoid being affected?
For iOS users, limit software installed in your smartphone to only trusted sources, never install software if you get a source warning, and revert iOS to its stock form. Note that this will only work if your device is not infected yet.
For Android users, only get apps and content from the Google Play Store and deactivate the “allow installation of apps from unknown sources.”
Stay tuned here at Phones LTD for further updates.