Researchers uncover latest version of Chinese spyware used to target dissidents

Lookout says a newly discovered variant of mobile malware, dubbed xRAT, represents the latest iteration of a sophisticated cyber-espionage tool previously used by the Chinese government.
(Cheon Fong Liew / Flickr)

Security researchers believe a newly discovered variant of mobile malware, dubbed xRAT, represents the latest iteration of a sophisticated cyber-espionage tool previously used by the Chinese government against dissidents, according to evidence published by cybersecurity firm Lookout.

The first sample of xRAT appeared in April, said Michael Flossman, a security researcher with Lookout, and since then more than 60 unique samples belonging to this same RAT family have been found. RAT is short for remote access trojan, a kind of malicious software program that installs a back door on a device so the attacker can take administrative control.

“Initially when we started investigating [xRAT] our attribution suggested the actor behind it was likely Chinese, due to a combination of comments in the code, the types of apps being trojanized, and the location and whois details of command and control infrastructure,” Flossman explained. “Further analysis revealed a strong connection to mRAT. This supported our earlier theories on potential attribution given what’s publicly known about those behind mRAT.”

When pro-democracy protests broke out in Hong Kong in 2014, mainland China launched a concentrated censorship effort to control the information coming out of the chaotic streets of Causeway Bay. In addition to controlling and monitoring internet usage, some experts believe that Beijing targeted protestors with spyware to track their movements and communications. One of the malware variants associated with this 2014 Chinese surveillance campaign is known as mRAT.


Like the newer variant, mRAT allows for the hacker to spy on a target by collecting contact information, text logs, emails, browsing history and more. Each iteration has largely, if not exclusively, been used against politically active groups, researchers said.

Released Thursday, Lookout’s research outlines a significant overlap between mRAT and xRAT, which indicates that a single author is likely behind the two pieces of malware. Both variants are thought to rely on the same infection vector, which involves convincing a person into downloading a booby-trapped mobile application that carries the virus.

A blog post by the San Fransisco-based mobile security company said that samples from both mRAT and xRAT families “have an almost identical code structure, make use of the same decryption key, share certain heuristics and naming conventions, and interestingly contain anti-debugging techniques that cause the a frequently-used malware researcher tool, the dex2jar decompiler, to crash.”

Where the command and control infrastructure for xRAT is located, according to LookOut

While nearly indistinguishable, xRAT comes with some additional features that allow for it to remotely exfiltrate data from two different messenger apps, QQ and WeChat, which are popularly used in China. The latest version also comes with a unique self-destruct feature that gives the operator the ability to quickly wipe evidence of their surveillance mission.


“The threat actor behind mRAT is still active on mobile despite having their surveillanceware capability put in the spotlight almost three years ago … they are clearly undeterred,” Flossman said. “It’s likely that they’ve taken what they’ve learnt during the mRAT campaign and incorporated it into the development of xRAT.”

Notably, the rise of xRAT coincidences with a recent decrease in the number of mRAT samples collected by Lookout.

“Despite mRAT being around for much longer, we’ve only seen six samples from April 2017 onwards, which is significantly less than during both 2016 and 2015,” Flossman told CyberScoop. “This could indicate the actors are phasing out its use in favor of xRAT.”

The use of mobile malware to conduct targeted surveillance against Chinese dissidents, specifically in contested territories like the Tibet region, is an ongoing theme that spans multiple years and cyber operations, according to Barry Vengerik, a principal threat analyst with U.S. cybersecurity firm FireEye.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts