In our digital age, geopolitics plays out in cyberspace as much as in physical space. The latest evidence comes straight from Hong Kong, where tens of thousands of pro-democracy demonstrators have been calling for the territory’s leader, C.Y. Leung, toresign. Police responded over the weekend with tear gas.
China’s cyber spies have reacted as well, with malicious software designed to infiltrate demonstrators’ iPhones and Android devices. Malware targeting iPhones is relatively rare. And an attack against both the Apple (AAPL) and Android operating systems is very unusual, suggesting that a powerful organization behind it, according to Lacoon, a mobile security company that discovered the iOS-targeted spyware.
“Cross-platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state,” Lacoon researchers wrote in a blog post yesterday. “The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s linked to Chinese government cyber activity.”
The opening salvo was a piece of malicious software disguised as an Android app to help activists coordinate protests. Lacoon, which focuses on helping companies protect mobile devices, began analyzing the program, which included tracing the Internet sites with which the spying software communicated, once installed. Such sites are known as “command and control” servers in cybersecurity lingo.
In examining one of these sites, the researchers found another version of the malware—this one designed to steal information from iPhones. Everything on the site is written in Chinese, according to Lacoon. ”We haven’t seen anything which has this level of sophistication on iOS, and we’ve never seen something that has a Chinese attribution,” says Michael Shaulov, Lacoon’s co-founder and chief executive officer.
Other research firms have, however. The cyber-intelligence firm iSight Partners has tracked spying efforts aimed at Tibetan activists and other minorities tracked by China’s intelligence agencies.
In one example, the hackers sent malware disguised as a conference app to members of China’s Uyghur community who were attending an organizing event. Users who clicked on the app saw only conference details, while the malware recorded phone calls and even surreptitiously captured conversations through the phone’s microphone, according to John Hultquist, who tracks cyber espionage threats for the company. Both Android and iOS are vulnerable, but iPhones can only be infected if they have been “jailbroken,” meaning that users have removed the default limitations enforced by the Apple operating system on what applications it can run.
Chinese hackers have also used mobile spying devices against Tibetan activists, he said. The technique has proven such rich ground for spies that different parts of the Chinese government and military have competing malware. “Chinese intelligence gathering is often organized along the lines of military regions,” Hultquist said. “Especially in the Chinese context, there seem to be lots of groups working on this.”
China may not even be the most advanced at leveraging the wide adoption of smartphones to spy on their owners, according to iSight’s findings. The Dallas, Texas-based company has been tracking a Russian espionage group it calls Tsar Team, which has used mobile malware to target U.S. government officials, American defense contractors, even energy company executives. ”We’re seeing this group operating in the U.S. space, in the European Union space, they’re hitting jihadist,” Hultquist said. “You can imagine if you’re tracking a Chechen jihadist, what an invaluable tool this is to physically track someone, to listen to their calls.”
Once it gets into your iPhone, the malicious program can access your contacts, text messages, call logs, and pictures. It also gets inside one of the most sensitive locations on the iPhone, the keychain in which other applications, which include your e-mail, store passwords.
Lacoon hasn’t been able to tell how the iOS malware is spreading—what kind of ruse or social engineering the hackers are using to get the software onto devices. It, too, can only infect ones that have been jailbroken, an aspect of the malware that is something of a mystery given how few users jailbreak their phones, according to Shaulov.
One theory is that the hackers have developed a way to jailbreak Apple devices remotely through some undisclosed vulnerability, Shaulov says. This is a possibility that he says is pure speculation—and scary, nonetheless.