Security Sidebar: Political Activism Laced With Malware

Civil disobedience invokes personal emotions and actions that are rivaled by few things.  For thousands of years, there has been a natural tension between a government and its people.  When, in some people's minds, the government steps too far with laws or demands, those people feel compelled to speak out...and act out against their government.  From Aristotle to Ghandi to Henry David Thoreau to Martin Luther King Jr, leaders have spent significant time and energy in the fight for civil rights.

 

“If the machine of government is of such a nature that it requires you to be the agent of injustice to another, then, I say, break the law” -  Henry David Thoreau, 1849

While this article is not meant to pontificate on the details of civil disobedience and such, it is important to understand that these things matter very deeply to many people.  As such, these things also provide an extremely attractive target for malware attacks.  Literally, as I write this article, there are tens of thousands of protestors filling the streets of central Hong Kong doing exactly what Henry David Thoreau suggested in 1849.

The Chinese government recently handed down a ruling that will limit the candidates in the upcoming election for Hong Kong's leader.  As you can imagine, some people didn't like this very much...they wanted to at least be represented in the election.  Several democracy advocates launched a movement called "Occupy Central" and they promised retaliation for the government ruling.

This movement has gained significant support, and many people are excited to get involved.  With all these people ready to support the Occupy movement, how do you think the Occupy leaders organize, control, and communicate with such a large group of diverse people?  The answer: social media and instant messaging.  Let's face it...we use these modes of communication for just about everything these days.  And, what's worse, we inherently and blindly trust them.

Since the Occupy movement has garnered such a large following, a group of cyber attackers have used this momentum to take advantage of unsuspecting targets.  Using geographic proximity to known protest sites, the attackers send messages to users via WhatsApp stating the following: "Check out this Android app designed by Code4HK, group of activist coders, for the coordination of Occupy Central!"  When a user clicks the link, his device is infected with an advanced mRAT, or mobile Remote Access Trojan.  This specific trojan is called Xsser mRAT.

Researchers at Lacoon Mobile Security discovered this malware and said, “When infected, Xsser mRAT exposes virtually any information on iOS devices, including SMS, email and instant messages, and can also reveal location data, usernames and passwords, call logs and contact information.”  The trojan runs immediately after boot and is updated dynamically.  The following diagram is taken from the Lacoon website and shows the installation process for this particular trojan (warning: graphic naming of the function called in step 7).

 

Xsser's code is written in Chinese, so who do you think supports and funds this malware effort against the Hong Kong protestors?  I personally have no idea, but it sure does make you wonder.

This trojan is also cross-platform, meaning it can spread to both Android and iOS devices.  One other thing to note about this particular trojan...it can currently only infect a jail-broken device.  Additionally, a user must agree to a few application updates before it loads on their device.  Nonetheless, this trojan is dangerous, and it showcases an attacker's ability to spy on just about every aspect of your life.  So, either don't keep any personal information on your phone at all, or be very careful when opening attachments.

I'm not saying it's right, but I do think it's pretty genius to target someone at a very vulnerable place in their life.  Their guard is likely down, and their willingness to click on an unsuspecting link is likely up.  Be careful out there!

 

Published Oct 16, 2014
Version 1.0

Was this article helpful?