Pro-democracy protesters in Hong Kong have found their phones hit with malicious software that bears many of the hallmarks of past attacks by the People's Liberation Army, according an Israeli computer security firm.
Researchers have identified at least two methods of infiltration, known as mRAT and Code4HK, which purport to be organization tools but in fact are capable of monitoring the communications of anyone who downloads them. Code4HK is disguised as a smartphone app, while mRAT is sent in the form of a phishing link that, once downloaded, turns over a user’s phone address book, call logs and other information. Code4HK also makes it possible for a third-party to pinpoint a user’s exact location and record their phone calls.
Both hacks were identified by Lacoon Mobile Security, an Israeli firm that told the New York Times it’s impossible to identify exactly where the malware originated. Yet, Lacoon CEO Michael Shaulov said considering where the servers involved are based, "it doesn't leave much to the imagination."
“Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state,” wrote Lacoon Chief Technology Officer Ohad Bobrov in a blog post. “The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity.”
Protesters using both iOS and Android have been targeted.
“It’s a malware with spy behavior,” Siu Cheong Leung, a senior consultant with the Hong Kong Computer Emergency Response Team Coordination Center, told the South China Morning Post. “On its face it’s not suspicious. However once it is installed, it will unpack data from itself to install a second mobile app.”
Along with the U.S. and Russia, China is regarded as one of the best-equipped countries for cyberwarfare. China and the U.S. have had a particularly tense relationship online, including wide-ranging attacks on civilian hospitals, obscure U.S. government agencies and the publication of a “most wanted” Chinese cybercriminal list. Security experts have also suggested that China is behind phishing attacks that have infiltrated American corporations and individuals alike.
Indeed, Lacoon traced such an attack to a computer network at a People’s Liberation Army base in Shanghai, China, that’s believed to be responsible for myriad attacks on U.S. corporations and government agencies. A 60-page study by cybersecurity firm Mandiant identified a nondescript 12-story office building as the likely home of PLA Unit 61398, the mysterious group believed to be leading state-sponsored cyberwarfare.