Mobile malware infections race through Hong Kong's Umbrella Revolution


Most of the researchers where I work who travel to China are justifiably paranoid about bringing their devices to China. Because their areas of study are Chinese economics, society, government, etc. they assume that efforts will be made to compromise their computers, and because they are generally in their fifties or sixties they lack the technical expertise to feel confident their laptops etc. are secure. Thus they either leave the laptop home entirely or bring a temporary device that they will not use back in the states. Using something like a jailbroken iOS device? No way.

1 Like

Oh man, I was afraid this was coming. Mobile devices have proven so useful in recent uprisings that the government had to expect the same this time and China is already known for malware attack.

They could pair with computer security/malware researchers, and carry honeypot computers. The “will not use back in the states” then changes to “is handed over for analysis back in the states”. Having a “friendly RAT” on the machine, for remote realtime audits, is also an option.

1 Like

This was inevitable. All governments are known for malware attacks; see e.g. the Bundestrojan affair. Or NSA.

…I don’t know how on iCraps, but Android devices that are rooted usually ask for permission for an app when it wants to be a root. Is this trojan depending on the user saying yes, or is there a further privilege escalation hidden from sight?

1 Like

The original article says that it’s spread on jailbroken devices (which are really common in China because the government is so restrictive) through text messages on WhatsApp.

1 Like

I read that. But the messages are only a vector. The root is needed for the malware (which went in through the message) to install and get access to advanced functions/data. Different parts of the puzzle…

Rooted devices are also common between technicians, as sometimes the default capabilities are too restricted. The root-maintaining/granting software (usually patched “su”) usually asks for permission when it is invoked from an app demanding root, and the permission can be granted never/not-now/once/always. So if an unknown app rides in and asks, it should be evident that something is amiss. Of course it is possible that this user-granted mechanism has a workaround, or depends on social-engineering the consent.

Edit: Condensed versions of the articles.

The iOS infection vector is unknown, but I think it is similar to Android phishing one (the hardest-to-patch security hole is the device operator). The mRAT depends on Cydia package manager being installed on the phone (which comes with the rooting). Once the installer is downloaded as a .deb package and executed, it takes over the phone.

The Android version does not require a rooted device. The mRAT comes in as a phishing message from an unknown number, “Check out this Android app designed by Code4HK, group of activist coders, for the coordination of Occupy Central!”. If the app linked in the message is installed, and permissions granted, it takes over the phone.

So phishing is likely a large/crucial component of the attack.

1 Like

Sorry I wasn’t clear - there’s a link included in the messages. The device owner does have to take an action. It’s through clicking the link that the malware is spread.

Mentioned this in a comment on Xeni’s post the other day. idownloadblog dotcom /2014/10/01/xsser-mrat/

It is a message you get on WhatsApp and other messaging, you then have to download an app from that link. The app is supposed to help coordinate protestors.
If that doesn’t work the Chinese govt can just hire some thugs to pose as ‘concerned citizens’ and stage conflicts to undermine solidarity…

1 Like

Worked for Canada cops. That case when they were photographed and their boots betrayed them.

Chinese will very likely try it too. Can be foiled if the protesters have their own “police” that pacifies the conflict-makers.


While allowing unknown sources/jailbreaking does make your phone more vulnerable, the risk presented here is easily avoided by simply not installing software from an unreliable source.

Neither is this risk unique to China - you could be tricked into installing a hostile application anywhere.

In terms of attack vector this isn’t particularly sophisticated or scary. It’s a form of phishing.

@catgrin it’s more than simply clicking a link. They have to take the link to a jailbroken app store (cydia) and choose to install the application.

@shaddack It’s quite clear that much of the developed world makes use of agent provocateurs to undermine the people. I’m surprised CCP hasn’t figured this out. Which of us live under an oppressive regime again? A friend who lived in East Germany believes we are worse off here and now.

1 Like

All of us?

Workers of the world, unite!


Oh, I don’t know. It’s an opportunity for some really clever people to build a secure network that everyone can build on and use in the future. Each push from one direction will elicit a push from the other. Gains and losses are incremental.

1 Like

That’s standard practice. China did that to Hong Kong in the past when it was Communism vs. Capitalism.


So, Cory - is it time to admit yet that Apple’s “walled garden” approach may have some advantages?

This topic was automatically closed after 5 days. New replies are no longer allowed.