Mobile remote access Trojan: the Xsser mRAT

Formerly, Xsser mRAT targeted only Android devices, but a new variant infects jailbroken iOS devices. The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence – preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server.

"Infected phones with the remote access software installed could be used for a wide variety of malicious purposes including surveillance, the stealing of login credentials, launching distributed denial of service (DDoS) attacks, and more," added Scholly. "With more than a billion smartphone users worldwide, this kind of malware creates significant risks to privacy and a risk of rampant illegal activity."

The best protection is to prevent infection

It is difficult to detect whether a phone is under attack from malware such as Xsser mRAT, so a focus on prevention is necessary. Virtual private networks (VPN), two-factor authentication, peer-to-peer proximity networking and commercial phone security applications can provide some protection. Avoiding the use of free Wi-Fi hotspots and automatic connections, ignoring unexpected communications, not jailbreaking phones and not using apps from untrusted sources are some of the self-protection approaches discussed in the advisory.

Get the Man-in-the-Middle Attacks Target iOS and Android Threat Advisory to learn more

In the advisory, PLXsert shares its analysis and details, including:

·         Open source intelligence about attacks against mobile devices

·         How attackers access Android devices

·         How attackers access iOS devices

·         Man-in-the-middle GSM and CDMA vulnerabilities

·         Why jailbroken phones are at high risk

·         How Xsser mRAT ends up on mobile phones

·         The malicious use of the Cydia repository

·         Infection prevention tips

A complimentary copy of the threat advisory is available for download at www.stateoftheinternet.com/xsser.