Security firm discovers iOS trojan for jailbroken devices

Security firm Lacoon Mobile Security has discovered a trojan that infects jailbroken iOS devices, allowing attackers to steal user data. The malware is actively being offered to protesters participating in the Occupy Central protest in Hong Kong.

Lacoon has named the malware Xsser mRAT. Participants in the Occupy Central occupation campaign in Hong Kong are offered links to the trojan via WhatsApp. The Xsser mRAT malware can only infect iOS devices that have been jailbroken.

Lacoon does not yet know exactly how the infection works, but the malware consists of a Debian installation package that, after installation via Cydia, starts a service via the launchd daemon. This service ensures that the malware is reactivated with every reboot and that Xsser mRAT is activated immediately. The malware can also update itself automatically.

Xsser mRAT connects via the rdp protocol to a command and control server running on a vps. The attacker can then steal user data, such as text messages, images and the address book. The whois information of the c&c server is protected by an anonymization service.

The Xsser mRAT malware has already been spotted in an Android variant and seems to target participants in the Occupy Central action in Hong Kong, partly because the malware is touted as an application developed specifically for the protest movement. Lacoon therefore believes that the trojan was built and used by the Chinese government. China is trying to censor or block all reporting about the situation in Hong Kong domestically.