There’s a new trojan in town, one that attacks jailbroken iPhone, iPod touch and iPad devices.

As discovered by Lacoon, the malicious software dubbed Xsser mRAT uses social engineering to steal valuable data from jailbroken devices by fooling unsuspecting users to tap on an install link in phishing messages from unknown senders.

Created by Chinese hackers, it can extract a vast range of personal information including your iOS address book, SMS messages, call logs, GSM identities, your approximate geographical location (as determined by the cell tower ID), on-device pictures, as well as passwords and other authentication data in the iOS keychains used by your Apple ID, mail accounts and other services.

The spyware also sucks out additional data into the cloud, such as your iOS version, MAC address, phone number and device version, IMSI and IMEI. Once installed on a user’s device, the trojan runs immediately after a reboot and updates itself dynamically.

Noting that the exact attack vector is largely unknown, Lacoon has been able to determine that the malicious software leverages the popular Cydia store in conjunction with a special server that contains a Cydia repository for the mRAT debian package for both iOS and Android devices.

Xsser mRAT (malicious Cydia package)

“With Cydia installed, the repository would be need to be added and then the package could be installed,” notes the article. The package then installs an iOS ‘launchd’ service to make sure the trojan starts immediately after rebooting your device.

The attackers have gone to great lengths to maintain their anonymity by using a Whois protection service on malicious servers. The servers themselves seem to be connected to a VPS service and can be accessed by RDP connections.

Xsser mRAT (spreading process)

What can you do to protect yourself from Xsser mRAT.

Obviously, if you’re not jailbroken you’re in the clear. If you’re jailbroken, however, you should be careful about accepting links from unknown senders via WhatsApp, iMessage and other instant messaging platforms.

The Xserr mRAT trojan was successfully used Thursday against the Occupy Central protesters in Hong Kong, who received a WhatsApp link inviting them to install the trojan, which disguised itself as an app to help coordinate protesters.

And because Xsser mRAT is a cross-platform trojan targeting both iOS and Android devices, Lacoon believes it’s the first iOS trojan linked to the Chinese government cyber activity.


  • Frank Anthony

    Ok. Now this is why i don’t like the Chinese very much. Those guys are so nerdy:) still on iOS 8, Not Jailbroken 😉

    • Dan

      overgeneralization much?

      • Frank Anthony

        Just saying… They’re cool though, no sh!t 🙂

      • Damian

        i think he expresses most peoples thoughts. Yes he generalizes, but we all do it at times.

        The main issue comes from chinese themselves. They tend to stick together and support only each other. They don’t socialize too much with other ethnic backgrounds. Therefore, other people feel alineated and tend not to sympathize with them. It is based from my observation while attending universities in canada and living there for many years.

      • Hmm, I must have been lucky ’cause I’m no Chinese and I made lots of Chinese/Asian friends during my University studies in Canada…maybe just Chinese/Asian engineers are friendly 😛

      • Damian

        I am not saying they are not friendly, but they tend to stick with each other and live in their own bubble.

      • Dan

        Which university did you go to in Canada? I did a bachelors at Concordia and another at UQAM (Montreal, Quebec).

      • Went to University of Calgary in Alberta for my bachelors. Now gaining some hands-on experience before I go back for masters…

      • Dan

        Cool, it’s a nice city, spent a week there once. Not too far from Banff, I’d be going there all the time 🙂

      • BoardDWorld

        Again, iDB failed to mention whether this was an issue if you have changed your root & user password?

      • chris

        True on this one..

    • :/

      You should concern yourself with your own government first. Mass murdering, genocide causing America.

      • Waleed

        agree Dude !!

      • sivkai

        *Looks at your username*

        Waleed. Checks out.

        Tell me Waleed, which Muslim country are you from (or Western country you have emigrated to)?

      • Waleed

        i’m from Pakistan, i live here 🙂

      • sivkai

        Wow…you’ve made my job too easy.

        So you have the audacity to criticize the US from Pakistan, when your country is notorious for harboring terrorists like Osama Bin Laden, executing non-Muslim minorities, denying basic human rights, being plagued with corruption and ineffective government, etc, etc. You get my point.

        Listen, no one is saying the Americans are saints, but when you sling mud at them on a TECHNOLOGY blog, expect a response putting you in your place.

      • benny001

        He was not criticizing / he was just agreeing. & so do i.

      • romeodesigns

        How did you get that far from how simple answer? Are you a psychologist and tried to break down his words and made them
        Into what you wanted them to be?

      • Waleed

        listen one thing, our religion truely doesn’t teach us to speak like u’re doing, (u call call muslims whatever like terrorists, those who are terrorists are not one of us, are not muslims, our religion doesn’t teach terrorism stuff)
        so i better don’t say something against you, just keep the smile on your face

      • romeodesigns

        Well put.

      • Rahimo

        You are right Waleed !! Islam never means Terrorisme, actually the word “islam” means in arabic “peace” , so those people you see in TV making those crimes #Sivkai talked about, they are not muslim !!
        I hope this person Sivkai read this !!

      • Endriu Andrei

        democracy in 3…2…1

      • Damian

        maybe Waleed fights for the freedom of the world, therefore not criticizing but defending our rights. 😀

      • Frank Anthony

        Hey dude, I’m not American and not a fan of Obama or Donald Cameron:)

      • chris

        and gun frenzy against black community, just to mention

    • toortoor

      well, don’t you think it was a little to easy to connect it to the chinese, using a chinese domain registerer, sending messages to chinese protesters and etc, 🙂
      and the chinese government will probably not comment on that, so they are as good as guilty 😉

      but yes, it is also possible it is the chinese government and they were just careless 🙂

    • Kurt

      Racist much?

    • chris

      are russian hackers or Romanian hackers better???

  • Victor Molina

    I would feel a lot saver if the iOS 8 came from evaders

    • CAS

      yeah, I agree.

    • Christian Mejía

      Most likely won’t happen though.

  • Dao Sasone

    As smart as the chinks are I wonder why they haven’t taken over the world yet.

  • just apple

    • This isn’t Apple’s problem. This is because of jailbreak. Apple is most likely laughing their asses off at this, and rightly so.

      • yes isn’t aPPLE problem……

        I say jailbreak is Theft of app store…no?????

      • CAS

        You don’t get what a jailbreak is, right?

      • … What?


      • Andrew

        Jailbreak was never meant for App Store piracy.

      • :/

      • Marco Bartolomeu

        80% of the people that did jailbreak is to tune up his device… (so i thing)

      • romeodesigns

        It’s to claim your device and make it your own. Not to steal apps. That’s only a small minority, so generalizations are never appreciated.

      • gaya


      • 😉

  • Bugs Bunnay

    down with the Chinese government. I hope hong kong’s umbrella revolution triumphs over tyranny.

  • Rowan09

    Damn. These guys are making jail breaking less appealing now-a-days.

  • Beta382

    This isn’t newsworthy. ANY tweak could do this. You literally have to add a shady repo and then download a random package from it in order to become “infected”.

    Best protection? Don’t add shady repos and download random packages.

    • Guest

      Do we have to use the word shady in the year 2014?

  • butterfield

    I can’t imagine installing ANYTHING that comes from a message from ANYONE.

  • jgr627

    Another devastating blow to the jb community. Def a bad year for Cydia

  • justme

    *whatsapp message*

    – do you want to install a Trojan?
    – Yes! please
    – then. click on this link…
    – 🙂

  • abdullah575

    I said to you all, jailbreak is not safe!!! It just ruined my device and make it lag and more …

    • Utrarunner5

      so restore.

    • chris

      really? full jailbreaked and tweaked on Iphone 6 ios 8.1.2.
      Running smooth and beautiful

    • chris

      may be you installed 1 bad tweak. it can happen. but from reputable souces (BIG BOSS, …) they are all good

  • jack

    damn chinese

  • Dexter

    Glad I avoided jailbreaking I guess…

    • Andrew

      What? Jailbreak wasn’t what caused it If you don’t pirate you’d be all good.

      • Dexter

        Not true actually but I am not one to start a flame war.

      • Andrew

        Why isn’t it true? Jailbreaks existed long before the AppStore existed.

  • Sleetui

    How would we remove the trojan? Via iFile?

  • poporopo00

    An iphone without a jailbrek is a piece of crap.
    …i do have an iphone 5S with IOS7.1.2 of course. I’m not updating to IOS8 or even upgrading my phone if a jailbreak doesn’t come out.

    My personal opinion.

  • Meh, same old story; if you want device freedom/flexibility, you gotta think before you click. That’s how it’s been on Android, that’s how it is in the jailbreak world.

    If you can’t fix the problem between the chair and the keyboard, then you should really have someone like Apple holding your hand and doing your thinking for you…

    • Kurt

      I’d rather have a jailbroken device with a trojan than stock iOS. lol

    • Hyr3m

      PEBCAK at its best 😀

  • Living in Hong Kong and guess I’m not on the same #OccupyCentral group as most via WhatsApp so happy that I dodged that bullet!

  • gaya

    remembering steve

  • I’m glad I updated to iOS 8.0.2. I don’t want my iPhone being “infected”.


    Wow this got off topic real quick. And hey let’s not do the whole America or anyone else is a genocidal maniac. Truth is if you look ant any countries past we all have blood on our hands. So let’s stop pointing fingers and work together to solve things together.

  • Michael Sweeney

    Number 7 says “Fuck_iphone function”. Is that what really happens?
    Your iPhone is completely toast.