Spyware targets Hong Kong protestors using Android, jailbroken iPhones or iPads

Galaxy S5 vs iPhone 5s
Galaxy S5 vs iPhone 5s (Image credit: iMore)

There's a new kind of spyware going around called Xsser that's reportedly targeting protestors in Hong Kong. The spyware — which appears to have ties to Android malware discovered last week — is installed via a Debian package and requires a victim's iPhone or iPad to be jailbroken. Breaking the root jail of iOS can provide for functionality beyond what Apple currently ships, but also strips away Apple's built-in iOS security. The same way jailbroken software can be loaded, malicious software can be loaded. (Same goes with bypassing Android's default security settings, as well as when you open up a phone to root access.) So what's going on with Xsser and how can you protect yourself?

Reuters has a quasi-report up that mislabels Xsser as a virus, doesn't link back to its source, and neglects to mention that only jailbroken iOS devices seem to be vulnerable, but does provide the following overview:

The malicious software, known as Xsser, is capable of stealing text messages, photos, call logs, passwords and other data from Apple mobile devices, researchers with Lacoon Mobile Security said on Tuesday. They uncovered the spyware while investigating similar malware for Google Inc's Android operating system last week that also targeted Hong Kong protesters. Anonymous attackers spread the Android spyware via WhatsApp, sending malicious links to download the program, according to Lacoon.

Lacoon itself is more thorough:

Lacoon hasn't uncovered information regarding the method or vector of attack. The iOS device needs to be jailbroken in order to be infected. Then with Cydia installed, the repository would be need to be added and then the package could be installed. All that's known is that both the iOS and Android attacks share a CnC server. The package itself is a debian .deb package. The package installs an iOS 'launchd' service to make sure the app starts after booting and in addition starts it up immediately.

If you think you're at risk from Xsser, until more is known about how it is being spread, removing your jailbreak by upgrading or restoring to an official version of iOS is the best way to protect yourself.

Nick Arnott contributed to this article.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • For Android, it looks like you'll want to only trust apps from the Google Play Store?
  • Sounds reasonable enough--we already use OSX/Windows the same way. I haven't heard of malware being a problem on Android recently anyways. Google has a service that automatically verifies installed apps too. Posted via the iMore App for Android
  • And don't check "Allow unknown sources" so you can't install it even if you find it somehow. Posted via iMore App
  • Another good reason to not jailbreak your iPhone. Sent from the iMore App
  • Another good reason not to jailbreak your iPhone. Sent from the iMore App
  • 1 reason to not jailbreak isn't a good reason. Especially when screwing up a jailbreak is almost always the users fault. I can walk across a street on my own thank you very much. I don't need Apple holding my hand to make sure I'm safe. Posted via iMore App
  • "... removing your jailbreak by upgrading or restoring to an official version of iOS is the best way to protect yourself." You wouldn't want to void your warranty by jaibreaking anyway.
    Even if Big Brother wasn't spying on you.
  • As if a factory reset (as advised before bringing your phone in for warranty work) wouldn't make the jailbreak undetectable. Posted from my TARDIS!
  • I am a former android user and now I am using APPLE iPhone6 that I recently bought from http://www.vmart.pk/apple-iphone-pakistan/ ! Though APPLE devices are awesome but when comes to range of applications, I prefer android devices. They have given their user much space to download great apps for free. When comes to iTunes, they want their users to pay for almost every app ! Furthermore the concept factory unlock and that jailbreak is so much annoying and then their laws of using APPLE iPhone etc.. AH ! What can I say further... :\
  • As someone who has used both platforms keep in mind that you get what you pay for. Free does not equal worthwhile on any platform. Usually a free version means a bad experience or lacking features. My advice, try a few paid and free apps and see what you think.
  • It only affects Android phones if you are stupid enough to click s link to download it. If you have the unknown sources unchecked in settings...which is the default...this can't happen. I love how you stress so hard about iOS needing to be jailbroken, but pretend Android is just a free for all. C'mon. Posted via the iMore App for Android
  • Rene's comment. Read it. Take a deep breath. Calm down. Posted via iMore App
  • "removing your jailbreak by upgrading or restoring to an official version of iOS is the best way to protect yourself." How about don't install anything from pirate or untrusted repos first? No need to go after the fly with a sledgehammer ESPECIALLY since the 712 signing window just closed.
  • Maybe I'm overanalyzing, as I tend to, but with most posts that have to do with iOS and Android, you guys hide "Android" in the actual article, or mention it behind iOS. Coincidental that you mention Android first in a post that's negative about both of them?
  • You're overanalyzing. Posted via iMore App