New Trojan for iOS

Wednesday, October 8, 2014 @ 09:10 AM gHale

Apple is experiencing the pressures of a popular system as more bad guys are targeting the company’s product lines for attack.

In one case, a newly discovered remote access Trojan for the iOS platform ended up located by researchers hosted on a server used to deliver Android spyware to protesters in Hong Kong.

New OS X Botnet
Mitigations for DDoS Toolkit Attacks
New Wave DDoS Attacks
Oil & Gas Firm Attacked

Security researchers do not know how an attack with the Xsser mRAT (mobile remote access Trojan) would end up carried out, but by analyzing the threat, they discovered it was an advanced remote access Trojan devised specifically for jailbroken iOS devices.

Lacoon Mobile Security encountered the threat while investigating Android spyware distribution among the Hong Kong protesters. The threat came as an app claiming to be for coordinating the manifestation, via a link in an anonymous Whatsapp message.

After investigating the origin of the malware, the researchers found the command and control (C&C) server stored a Cydia repository for an iOS Trojan; Cydia enables installation of software packages on jailbroken iOS devices.

Closer examination showed the malware could exfiltrate various sensitive information from the affected phone.

The contact list, text messages, call logs, OS data, location information based on cell ID, as well as passwords can all end up stolen by the operators of the threat. Other authentication data, such as keychains used by AppleID, email and other apps from Apple, are also a target.

According to Lacoon, Xsser mRAT can run immediately after boot and can update dynamically, downloading the latest resources as needed.

The initial information delivered to the C&C servers includes the version of the operating system, MAC address, device version, IMSI and IMEI codes, and the phone number of the victim.

Only after these details go out does the malware receive the commands for stealing the data from the server.

In a company blog post, Ohad Bobrov, co-founder and CTO of Lacoon, said this all may have stemmed from the Chinese government.

“Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s (the) first iOS trojan linked to Chinese government cyber activity,” he said.

The features of the malware also seem to come in support of this theory, as it is the first fully operational Chinese Trojan for iOS uncovered to date.

Leave a Reply

You must be logged in to post a comment.