Posted on Leave a comment

Rare cross-platform malware targets iOS and Android devices of Hong Kong protestors

image thumb1 anonymous domain registration

An Israeli security firm has discovered evidence of a cross-platform (iOS and Android) malware attack targeting the Operation Central (Umbrella Revolution) protestors in Hong Kong. The spyware, Xsser mRAT (or Xsser.0day), exposes information on the devices such as SMS and email messages, instant messages (e.g. Tencent Archive), GPS location data, phone call logs, contact information, and of course, usernames and passwords.

The app seems to specifically target iOS devices but is related to Android spyware that is already widely distributed across Hong Kong. The Android spyware was recently distributed via an anonymous Whatsapp message (text of the message read, “Check out this Android app designed by Code4HK, group of activist coders, for the coordination of Occupy Central!”) linked to an Occupy Central app containing an embedded copy of the spyware. The Android spyware points to the same Command and Control (CnC) domain used by the iOS app. Analysts currently have little detail regarding the iOS attack vector.

Researchers noted that the spyware/malware runs immediately upon booting and includes facilities for remote updating. The CnC servers are running through a VPS service (likely to protect the location of the real Command and Control server) that is setup as an anonymously registered domain, possibly (using a Chinese protection service). The CnC communications utilize HTTP GET and POST requests to update and deliver payloads.

The security firm feels the manufacture of a targeted iOS and Android app hints at a well-resourced attacker – likely the Chinese government.  During the time I wrote this article, the CnC server was taken down so it is likely moving already.

Example of the HTTP request to get/update the spyware library

GET /CheckLibrary.aspx HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: xsser.0day (unknown version) CFNetwork/672.1.15 Darwin/14.0.0
Accept-Language: en-us
Accept: */*
HTTP/1.1 200 OK
Date: Mon, 29 Sep 2014 09:27:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 79|iLib.4.0.0.dylib|4.0.0|1033720