Hackers Target Hong Kong Protesters via iPhones

Malware that cracks both Apple and Android hit Hong Kong protesters
Demonstrators in Hong Kong Photograph by Carlos Barria/Reuters

When the Hong Kong protests were at their height, activists using WhatsApp received messages advertising a program that promised to help them coordinate protests. When the demonstrators downloaded the program through a link in the message, it turned out to be malicious software—most likely created by the Chinese government—that hacked their smartphones. Lacoon Mobile Security, based in San Francisco, began to analyze the phony app after spotting unusual communication on the networks of its corporate clients, some of whose employees had downloaded it. In tracing the spyware’s path to the websites where it sent data, Lacoon’s researchers found a much rarer species of malware: a version that can steal information from iPhones.

Once the malware gets into an iPhone, it can gain access to contacts, text messages, call logs, and pictures. It can upload files and play recordings, as well as steal data. It gets inside one of the most sensitive locations on the iPhone: the keychain in which other applications, including e-mail, store passwords.

Android and iOS are both vulnerable. It’s not easy to hack a phone running iOS, but iPhones can be infected only if they have been “jailbroken,” meaning that users have removed the default limitations enforced by the Apple operating system on what applications it can run. Everything on the malware-signaling site that Lacoon found—a “command and control” server, in cybersecurity lingo—was written in Chinese. “We haven’t seen anything that has this level of sophistication on iOS, and we’ve never seen something that has a Chinese attribution,” says Michael Shaulov, Lacoon’s co-founder and chief executive officer. Taken together, those factors suggest that the hackers work for the Chinese government, he says. The Chinese embassy declined to comment.

While Lacoon hadn’t come across anything like the Hong Kong malware before, other researchers had. ISight Partners, a cyber intelligence company based in Dallas, says the program resembles spying efforts by China’s intelligence agencies against ethnic Tibetan activists and other minorities. In one case last year, the hackers sent malware disguised as an app to members of China’s Uighur community who were attending a conference. Users who clicked on the app saw only conference details, while the malware recorded phone calls and even surreptitiously captured conversations through the phone’s microphone, according to John Hultquist, who tracks cyber espionage threats for ISight.

The use of mobile spying devices has proved such rich ground for espionage that various branches of the Chinese government and military have competing malware. “Chinese intelligence gathering is often organized along the lines of military regions,” Hultquist says. “Especially in the Chinese context, there seem to be lots of groups working on this.”

Beyond China, ISight has been tracking a Russian espionage group it calls Tsar Team, which has used mobile malware to target U.S. government officials, defense contractors, and energy company executives. “We’re seeing this group operating in the U.S. space, in the European Union space, they’re hitting jihadists,” Hultquist says. “You can imagine, if you’re tracking a Chechen jihadist, what an invaluable tool this is to physically track someone, to listen to their calls.”

Lacoon hasn’t been able to tell how the Chinese-language malware used in Hong Kong managed to crack iOS. It, too, can infect only those that have been jailbroken, which happens at a higher-than-average rate in China but is still relatively rare, according to Shaulov. One theory is that the hackers have developed a way to unlock Apple devices remotely through some undisclosed vulnerability, he says. He calls the possibility pure speculation—but scary nonetheless.


    The bottom line: The rare breaches of iOS security in Hong Kong are one sign that the hackers were Chinese military.

    Before it's here, it's on the Bloomberg Terminal.