Windseeker – A Malicious App

A malicious app dubbed Windseeker has been detected by security experts at Lacoon Mobile Security that utilizes a rare injection in hooking techniques to spy on the users. It is one of those dangerous Android apps which have drawn the attention of experts at the Lacoon Mobile security and the main features of the app are its injection and techniques to spy on mobile users. The techniques are very rare in mobile ecosystem wherein Windseeker operated on rooted Android devices enables attackers to probe on popular instant messaging apps in China, WeChat and QQ.

Lacoon noticed Windseeker in third party app marketplace though an attacker would need physical access to the device to get installed and to register the app. In a recent interview with SC Magazine, Avi Bashan, CISO at Lacoon Mobile Security states that the app’s injection and hooking techniques are a focal point of the threat wherein the techniques has two sections.

The first being the injection that occur on the native file which uses ptrace procedure and is also used to inject a second file to target instant messaging app while in the second section, the injected native file loads a java file which enables to monitor the activity of the messaging app through the API hooking.

Threat – Cause for Worry

This discovery is a cause for worry and Bashan explains that these types of treat could be utilized in spying data of any kind of application. In his blog he has also mentioned about the threat that it was `important to understand that this type of threat could be implemented anywhere’. Bashan further states that `hooking over an API code would mean that each time the app calls to the API, instead of going directly to the system, the data is intercepted by the attacker and when it is on the device, it is called “hooking” and when it is over the network it is known as a man-in-the-middle attack which PC malware has been doing it for years. Bashan has also highlighted in his blog post that the hooking techniques does not seem to be a common attack method in the mobile field.

How Does the Windseeker Functions

Initially the Windseeker checks if the device is rooted since it is essential for the app to run and if rooted, it performs the following process:

• Creates a process monitoring thread which is used to identify if IM apps such as WeChat or QQ are active. 
• Request the user to register with its management server through SMS 
• It injects a malicious code which in fact is the hooking process that enables the Windseeker to spy on WeChat and QQ 
• It directs the monitored data back to the threat actor’s controlled server where the details from the IM chat could be viewed conveniently from a web interface.

The target gets the opportunity of viewing the Windseeker app that is installed but will be unaware of its capabilities of monitoring their instant messaging chats. According to Bashan, till now commercial mobile surveillance apps sought an app’s data through a file system or a memory dump and the hooking techniques indicates a new step in the evolution of threat in mobile resembling the way PC based malware evolved all through the years.

Steps to be taken for Protection - 

• Avoid rooting the device since it exposes the device to these kinds of threats. 
• Avoid installing application from unreliable application marketplaces or unknown sources. 
• Ensure to review your list of installed applications frequently to see if there is anything that is unfamiliar.

iOS Trojan –Malicious Software, Chinese Creation

The Lacoon Mobile security researchers’ team have identified one of its first Apple iOS Trojan attacks to oppose communication of pro-democracy Hong Kong activists. Initial investigation indicates that the Trojan has an impressive number of surveillance capabilities.

The malicious software discovered has been dubbed Xsser mRat which uses social engineering to rob valuable data from jail broken devices while the users unknowingly tap on an install link in phishing messages from unknown users.

The malicious software has been created by Chinese hackers wherein it can obtain various range of personal information which could include the iOS address book, call logs, GSM identities, SMS messages, as well as the approximate geographical location which could be determined by the cell tower ID, pictures on devices together with passwords and other authentication data available in the iOS keychains that are used by Apple ID mail accounts and the other services.

The spyware has the capabilities of obtaining additional data in the cloud like the iOS version, MAC address, device version and phone number, IMSI and IMEI. When it is installed on any device, the Trojan automatically runs on rebooting, updating itself dynamically.

Xsser mRat Targets iOS Devices 

According to Lacoon Mobile Security, the so called virus, Xsser mRat, targets the iOS devices related to Android spyware which have been distributed widely in Hong Kong. In a blog post, it is also mention by Lacoon that Xsser mRat is connected with Android spyware infecting mobile users in Hong Kong which seems to be designed in helping to coordinate Occupy Central Hong Kong protesters and then prepare an attack.

Lacoon has also stressed on the importance of a cross platform mobile attack.It is very rare where cross platform attack could target iOS as well as Android devices, which shows that it could be conducted by some large organization or a big state. Considering that the attack has been used against protesters and executed by Chinese speaking attackers indicates its first iOS Trojan which has been linked to Chinese government cyber function.

The Xsser code has been written in Chinese which has led Lacoon to believe that the attack could be from sophisticated Chinese attackers. There is one hitch wherein the iOS user should have a jail broken device and Android should have a third party app download enabled

First Fully Advanced Operational Chinese iOS Trojan

The Xsser mRat is important since it is the first and most fully advanced operational Chinese iOS Trojan which is presently found. It can cross border with ease and is probably operated by a Chinese entity to spy on foreign companies, individuals or an entire government.

It infects the users’ devices through WhatsApp depending on their geographical proximity to the site of protests and as per Lacoon, Xsser had send out it first message to the user which states `Check out this Android app designed by Code4HK, group of activist coders, for the coordination of Occupy Central’.

When the download link is clicked by the user, they download an apk file unknowingly which presents them with a list of permission that needs to be approved and finally the user is lead to agree to application updates which on doing so, the application gets updated and activates the hidden features of the mRat

Advanced iOS Trojan targeting the Hong Kong protesters

Cyber researchers are clamming to discover the first iOS Trojan, which attacks on the mob of Hong Kong protesters to affect their communications. 

An iOS Trojan known as Xsser mRat is similar in function as an Android virus, and discovered by cyber security researchers, who all believe that this iOS virus is targeting the pro-democracy protesters of Hong Kong. It is computer virus, which spies the operating system of on Apple's such as; iPhone and iPad. According to Lacoon Mobile Security, Xsser mRat is absolutely similar to the spyware of Android, which has initially infected the infected mobile users in Hong Kong. Android spyware was designed to coordinates the protesters of Hong Kong, but soon after infection it launches an attack.

Significance of a cross-platform mobile attack was reported by Lacoon. This cross-platform attack targeted the both Android and as well as iOS and it indicates that it may be conducted by nation state or a very large organization. The fact behind the attack was to use it against the protesters of Hong Kong and it was executed by Chinese-speaking cyber attackers, as first iOS Trojan attack linked to the cyber activity of Chinese government.

The Xsser mRAT is significant as it is first and one of the most advanced, fully operational and functional Chinese iOS Trojan. This malicious software is known as Xsser and is well-capable to steal the text messages, call details, photos, passwords, and other data from Apple devices such as; iPad and iPhone. According to Michael Shaulov, Chief Executive of Lacoon, that Xsser is the most advanced and sophisticated malware and it used to date in any known cyber attack of iOS users.

Programming community Code4HK is working on to support the democracy movement, but in actual it has nothing to do with this phishing expedition. But iPhone and iPad devices are getting infected by single click with mobile Remote Access Trojan (mRAT), when any user clicks on any specific link and soon after that it can easily access the personal data, physical location of phone or device, and can spy on phone calls.

An anonymous attacker was responsible for spreading this Android spyware with the help of platform likes; WhatsApp. Still it’s unclear that how iOS devices get infected by Xsser. According to Michael Shaulov, it is one of the most advanced and interesting developments, as the code used in these programmers are written in Chinese. According to researchers the campaign is high quality and it is coming from somewhere China by sophisticated attackers.

Trojan is the term; used by cyber researchers for virus and it describe malwares, which can enter in the technical device and harm the same. Still Apple has to identify any specific individual, who is suffering from iOS Trojan. It is expected that, it can cross borders easily and it is possible that Chinese-speaking entity is operating the iOS Trojan to spy on foreign companies, individuals, or it can be entire governments or system.

Computer virus can be spread in the air to hack any computer!

Computer development is progressing at breakneck speed. Scientists have developed a prototype virus capable of transmitting data without requiring a network connection! This virus can in fact move in the air using inaudible sound frequencies. It is explained in detail.

As incredible as it may seem, scientists have invented a new concept of computer virus: A virus capable of traveling through the air. This invention is a team of German researchers based at the Institute for Communication work, information processing and Fraunhofer. The prototype requires only a microphone and integrated speakers to work.

Thus, they were able to travel information such as passwords or small amounts of data over distances of about 20 meters. Scientists explain in their paper and they described how the concept of air holes can be considered obsolete now that laptops quite common can communicate with each other through their speakers and internal microphone and can even form a kind of network noise ‘secret’. Hidden on this network, information can travel through multiple hops infected nodes, which means that they are interconnected so completely isolated networks and systems.

 " The sound frequency of which is very close to high frequencies and that of ultrasound is used borrowed from research to transmit data. all acoustic underwater! This allowed his team to transmit data between two laptops Lenovo T400 type simply using their integrated (micro and speakers) sound equipment. The data were thus transmitted at 20 bits per second, which is a fairly high speed to recover passwords, they explain.


“This small bandwidth may actually enable the transfer of critical information.” So far, the transmission of data from one computer to another required the presence of a network. Now, viruses and hackers can use this technique to transmit information while going completely unnoticed! It makes us shudder to realize that ... Would you ever imagine that could spread through the air and infect your computer virus?

First human 'infected with computer virus'

A British scientist has become the first person in the world infected by a computer virus! He bribed a computer chip lodged in his hand for several years with a virus of its making. The approach may seem strange, but its purpose is to warn us of the risks we could face in the future. Scientists around the world are working on nanotechnology to achieve miniature robots capable of handling each parameter of the body: for example, white blood cells to help eradicate diseases, regulate the level of sugar in the blood. In short, the miniaturization of robotics allow medical prowess and should be an important new step for mankind by significantly prolonging our life expectancy. With this in mind, Mark Gasson, a researcher at University School of Systems Engineering Reading in England, voluntarily infected RFID chip he had in his hand. This chip allows access to university buildings and uses the phone. But the infecting, it now has the ability to spread the virus in the systems which access and cut their communications infrastructure. This approach is not malicious: Mark Gasson wants to show that it is very dangerous not to worry about the safety of these future devices that will arrive sooner or later in our body.

The potential of these future devices could well be hijacked by malicious individuals and of course we would be unable to repair our chips by ourselves, which could have extremely serious consequences. This is reminiscent of robots of this type are also experienced for diabetics, as many pacemakers that are configured computer. Some time ago, an American hacker was able to demonstrate that he was able to remotely control some pacemakers and could thus kill the holders of such devices. The company was therefore updated its pacemakers to avoid the situation turns sour. This news makes us shudder when we know how easy it was to infiltrate scientific in these infrastructures. In the near future, to shake hands with a stranger could endanger the hardware that concerns us like phone, laptop, shows and other intelligent devices. Major advances are not safe. But what do you think? Is the development of the internal nanotechnology - which have a real purpose, it is important to remember - you would be sufficiently profitable compared to the risk you are exposed to the worst dangers?