Attacks install remote access trojans to phish for login credentials
May involve cellphone tower eavesdropping for location-specific attacks
AKAMAI Technologies Inc is alerting enterprises, governments and individuals to the Xsser mobile remote access trojan (mRAT), which targets iOS and Android devices.
The Xsser mRAT is spread through man-in-the-middle (MiTM) and phishing attacks and may involve cellphone tower eavesdropping for location-specific attacks, Akamai said in a statement.
READ ALSO: Backdoor discovered in Android phones by China’s Coolpad
The company has released a new cybersecurity threat advisory through its Prolexic Security Engineering & Response Team (PLXsert).
“Sophisticated malicious actors are targeting unsuspecting mobile device users,” said Stuart Scholly, senior vice president and general manager of the Security Business Unit at Akamai.
“Attackers are impersonating or bypassing Google and Apple app stores and using social engineering to trick users into downloading unverified apps that install malicious applications such as the Xsser remote access trojan onto a user’s mobile device.
“For example, attackers offered a counterfeit Flappy Birds app download to deliver the malicious software,” he added.
Jailbroken iOS devices at risk
Jailbreaking is the process of removing limitations and security checks in the iOS operating system in order to allow users to install applications from other application stores.
In China, for example, 14% of the 60 million iOS devices are estimated to have been jailbroken, often to support the use of third-party Chinese character keyboard apps.
Jailbroken phones are at greater risk for malware, Akamai said.
The Xsser mRAT
Formerly, Xsser mRAT targeted only Android devices, but a new variant infects jailbroken iOS devices.
The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence – preventing the user from deleting it.
The mRAT then makes server-side checks and proceeds to steal data from the user’s device and executes remote commands as directed by its command-and-control (C2) server.
“Infected phones with the remote access software installed could be used for a wide variety of malicious purposes including surveillance, the stealing of login credentials, launching distributed denial of service (DDoS) attacks, and more,” said Scholly.
“With more than a billion smartphone users worldwide, this kind of malware creates significant risks to privacy and a risk of rampant illegal activity,” he added.
It is difficult to detect whether a phone is under attack from malware such as Xsser mRAT, so a focus on prevention is necessary, Akamai said.
Virtual private networks (VPN), two-factor authentication, peer-to-peer proximity networking and commercial phone security applications can provide some protection.
Avoiding the use of free WiFi hotspots and automatic connections, ignoring unexpected communications, not jailbreaking phones and not using apps from untrusted sources are some of the self-protection approaches discussed in Akamai’s advisory.
A complimentary copy of the threat advisory is available for download at www.stateoftheinternet.com/xsser.
Palo Alto Networks report on ‘unprecedented’ iOS and OS X malware
Bring your own danger with Google Play: Survey
Juniper: Mobile threats more rampant as attackers become more ‘entrepreneurial’
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.