Chinese Government Targets Hong Kong Protesters With Android mRAT Spyware

Protesters in Hong Kong are being targeted by a social engineering campaign aiming to infect Android devices with an advanced surveillance mRAT

A malicious, fake Android mRAT app claiming to coordinate the Occupy Central pro-democracy movement has been circulating online since last week. Activists have been receiving a link to the application via Whatsapp phishing messages from an unknown phone number with the message “Check out this Android app designed by Code4HK, group of activist coders,  for the coordination of Occupy Central!”.


Code4HK is a group of activist coders trying to improve government transparency in Hong Kong.

Once the victims click on the link, their devices are infected an advanced mRAT (Mobile Remote Access Trojan) that has many data collection and extraction methods.

How Does the mRAT Infect a Device?

After the victim presses the link in the Whatsapp message, an .apk file is downloaded. Once the user attempts to install the apk, the user is presented with a an extensive permissions list that the apk needs.

When the user first opens the app, a dialog box will promp the user to update the app with the text:“Application updates, please click to install”. If the user agrees, the app is updated and the espionage capabilities are activated, otherwise the application closes.

What Can the mRAT Extract from the Device?

The mRAT is undoubtedly one of the more advanced we’ve seen. It can extract almost anything it wants from the device, making it an extremely versatile method of surveillance:

  • Address book
  • SMS messages
  • Call logs
  • Geographical location (based on cell id)
  • Pictures and Files
  • Emails
  • Browser history
  • Device IDs (Phone Num, IP, Model, Operator, SIM serial, OS version)
  • cpu frequency
  • memory
  • Network Data (Location based on IP, MAC address, network state

What Other Capabilities does the mRAT Possess?  

  • Can upload files to the victim’s device (Either from a remote device or a URL), on command
  • Call a number
  • Can execute commands within the “/system/bin/sh” directory as well as run “su” shell and a listen socket for commands before relaying results back to the CnC server
  • Delete a specific file from the device.
  • Initiate a delayed audio recording on the device.

Who is controlling the mRAT?

The identity of the victims, as well as data from the CnC (Command and Control) servers lead us to believe that the Chinese Government are behind the attack. This is also a very advanced mRAT that is undoubtedly being backed by a nation state. Our research also led us to command logs that detail just how and what is being extracted from the victims’ devices.

It’s also worth mentioning that we made quite an intriguing discovery while researching this Android mRAT:

It seems that this attack is part of a larger cross platform attack targeting both Android and iOS devices.

A unified attack of this scale and technological capability is very rare. We’ll be releasing our extensive findings on the iOS mRAT, which we’ve christened “Xsser”,  shortly.