Safeguard Defenders, September 10, 2017
A new report by a Lookout, a Cybersecurity company, has generated renewed interest in the security, or lack thereof, of WeChat and QQ (https://blog.lookout.com/xrat-mobile-threat). Despite this, there has been limited attention paid to this explosive new revelation.
It has long been known that due to WeChat keeping its servers inside China, the lack of legal protection of privacy data, and the control over companies by police, that WeChat data is not safe, and can, without protection, be accessed by police or other state actors more or less at will. This has naturally made people shy away from using WeChat for any more serious or political discussions. More and more court cases of people being prosecuted simply based on private chat messages to friends have further illustration this. At the same time, at the time of the Occupy Central movement in Hong Kong, it was shown that a ‘Trojan’ virus was being employed to surveil users remotely.
xRAT. That’s the name of the new discovery. Like the earlier virus found, it’s a ‘Trojan’ virus, meaning it masks itself as something else, for example a PDF file, and you will be unaware of if you have it on your phone by now. It specifically targets you through your WeChat or QQ account.
So what’s the big deal?
The ‘Trojan’ operates with administrator privileges. It means it can access and control any and all aspects of your phone. It also means it can do so without you noticing. In fact, it can remotely get ‘full control’. If you want to understand what this means it is this: it has as much access to your phone as if you were to give it to someone, and then tell them your PIN code. Full control.
This means that not only your WeChat or QQ use is exposed. All of your phone is exposed. Photos stored, downloads, documents, any Apps to other services installed, chat logs, phone records, contact lists, and of course, your browser and its entire browsing history, which may include credit card and password and login information to other service, for example encrypted emailing you use.
In short, any phone that has WeChat on it, and is also used to access work emails, or secure chat programs like Telegram or Signal, can now be in the hands of Chinese police or state security. For the community of supporters of human rights in China it moves from bad to terrible. You can now, if you communicate with human rights defenders in China through secure Apps or emailing on a phone that has WeChat or QQ installed, inadvertently be giving the Chinese police material that will incriminate those human rights defenders and land them in prison.
To make matters worse, administrator privilege means you microphone can be turned on, and stream whatever is heard to the Chinese police. Same with video camera and camera. It is a most sophisticated spying tool with far-reaching consequences. It can, it goes without saying, read you location, as well as the specific meta-data of your phone.
If that wasn’t enough, there is one last thing, which makes it such a sophisticated virus. It can auto destruct itself. And when doing so, it can not only delete itself from your phone, but wipe much of your phone log data, making it hard even for technically skilled people to know that the virus was ever there. In short, you might never know if your phone, your use, is the reason someone has landed in prison.
A number of control centers in China has been identified to where such data and traffic goes. The code is such that there is little doubt that this ‘Trojan’ comes from the same people behind the earlier ‘Trojan’ targeting Hong Kong Occupy Central people, just much more sophisticated.
Should I worry? What to do?
First off, there is still some lack of understanding how the infection spreads to your phone. At the same time, there is little reason to think resources would be spent to develop such a tool, and then not try to use it. An earlier, much less sophisticated version, was used extensively during the Occupy Central movement. Why would the police and state security organs not use a tool if it’s already been developed, and if it’s this powerful? It should go without saying that you need to operate as if it’s being used widely, and as if you were a target.
Most people with risk awareness will already have made sure to not use WeChat or QQ, or if they felt a strong need to have it, have it installed on a second phone which is not used for anything else. If you need WeChat, like many unfortunately feel they do, at the very least, install it on a blank, factory-reset second phone, like a super cheap android phone. Due to microphone remote control, make sure to never have it in your office or at any discussions.
Secondly, your current phone, if infected, will not be secure just by uninstalling WeChat and QQ. You will have no choice but to do a factory reset. This may be an inconvenience, but it is the only way. It goes without saying that any existing PIN codes, passwords to work emails, etc., will need be changed after you have done this factory reset.
From the editors:
Since this post was launched, we have heard several complaints such as this one: “the article misrepresents the malware report, which does not mention WeChat or QQ as delivery method, but instead as targeted data.” It is true that the threat is posed by a ‘Trojan’ virus, an external program designed to utilize weaknesses through WeChat and QQ. The vulnerability begins when the xRAT “Trojan” has infected your phone, and the “Trojan” aims at infecting those using WeChat or QQ. The WeChat and QQ programs themselves do not contain the “Trojan.” The silent mode in which it can operate nonetheless makes it hard to know if your phone has been infected. The mode of infection, for example through having downloaded and opened a PDF or other type of file, continues to be studied and the mode of infection is not yet clear.