Just the Facts: Xsser mRAT iOS Malware

There has been a lot of alarm about Xsser mRAT, the iOS and while there might be some cause for concern, we wanted lay out the facts as we see them. The threat was originally discovered by Lacoon Mobile Security, and press have since speculated about its potential to conduct surveillance on the mobile devices of pro-democracy protesters in Hong Kong. Xsser mRAT definitely has the ability to collect a wide range of data from compromised devices. Lookout has seen no evidence that this threat was ever distributed, and any allegations of Chinese state sponsorship are speculative. Other than residing on the same server as the “OccupyHK” Android malware, there is no indication that this threat was created for, or targeted towards, the Hong Kong protesters. There is, however, clear evidence that the Android malware was actively seeded through a phishing campaign via Whatsapp Messenger. We believe the severity of this threat, as it stands now, is low. With no evidence of active distribution of this threat and the command and control servers appearing to be down, Xsser mRAT does not pose an immediate risk to iOS devices in Hong Kong or elsewhere. Moreover, it would take multiple steps to successfully compromise a device with Xsser mRAT, which, in our minds, makes it a low risk if it ever became actively distributed.

These steps are:

1. The iOS device must be jailbroken
2. The Cydia app must be installed
3. A new Cydia repository must be added
4. The Xsser mRAT package must be installed from that specific repository

Given this barrier to entry, attackers would either need physical access to the target device or to convince a potential victim to complete these steps themselves. The flow is somewhat more complex than for Android malware, which creates more of a barrier to entry and would require more sophisticated social engineering. Granted, jailbroken iOS devices are more common in Asia than in the western hemisphere and it’s probable that many protesters in Hong Kong already use jailbroken iOS devices. The notion, however, that Xsser mRAT “can cross borders easily” into populations where jailbreaking is relatively uncommon is questionable, given its first-order dependency on jailbroken devices. In short, a large-scale infection and iOS surveillance campaign through Xsser mRAT appears highly impractical and unlikely. Lookout’s security app alerts iOS users in the event of jailbreak detection and Lookout recommends that individuals only jailbreak their devices if they understand all of the security risks.