{
	"id": "195dab2f-4e4b-4b59-a72b-80152ba46210",
	"created_at": "2026-04-06T00:16:45.24548Z",
	"updated_at": "2026-04-10T03:20:37.581589Z",
	"deleted_at": null,
	"sha1_hash": "da6e469a9f3de0f24dccf3b92e45c176de628cee",
	"title": "XRAT Malware Tied to \"Xsser/MRAT\" Surveillance",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1428759,
	"plain_text": "XRAT Malware Tied to \"Xsser/MRAT\" Surveillance\r\nBy Lookout\r\nPublished: 2017-08-31 · Archived: 2026-04-05 22:58:51 UTC\r\nLookout researchers have identified a mobile trojan called xRAT with extensive data collection functionality and\r\nthe ability to remotely run a suicide function to avoid detection. The malware is associated with the high-profile\r\nXsser / mRAT malware, which made headlines after targeting both iOS and Android devices of pro-democracy\r\nHong Kong activists in late 2014.\r\nLookout continues to regularly acquire new Android-variant samples of mRAT from multiple sources, and we\r\nhave seen detections that show it has been live on Android devices in recent months. The frequency with which\r\nthese samples are being deployed in the wild suggests that this family is still under continual development and\r\nactively used in various campaigns.\r\nLookout identified xRAT due to a combination of suspicious capabilities it uses, such as dynamically loading\r\nadditional code, executing native libraries, using specific ciphers, and accessing sensitive user information.\r\nSamples from both mRAT and xRAT families have an almost identical code structure, make use of the same\r\ndecryption key, share certain heuristics and naming conventions, and interestingly contain anti-debugging\r\ntechniques that cause the a frequently-used malware researcher tool, the dex2jar decompiler, to crash. These many\r\nsimilarities strongly suggest that mRAT and xRAT have been developed by the same threat actor.\r\nThe command and control servers for xRAT are also linked to Windows malware, indicating that the malicious\r\nactors behind this threat are conducting multi-platform attacks against the PCs and mobile devices of targeted\r\ngroups.\r\nWhat it does\r\nThe discovery of xRAT and continued improvements to both xRAT and mRAT clearly demonstrate that threat\r\nactors are capable of deploying sophisticated tools to retrieve intelligence from mobile endpoints. Like mRAT,\r\nxRAT supports an impressive set of capabilities that include flexible reconnaissance and information gathering,\r\ndetection evasion, specific checks for antivirus, app and file deletion functionality, and other functionality listed\r\nbelow. It also searches for data belonging to popular communications apps like QQ and WeChat. The threat actors\r\nthemselves are able to remotely control much of its functionality in real time (e.g., which files to retrieve and what\r\nthe settings of its automatic file retrieval module should be).\r\nListed below are the types of data gathered by xRAT and features that enable it to perform reconnaissance, run\r\nremote code, and exfiltrate data from Android devices:\r\nBrowser history\r\nDevice metadata (such as model, manufacturer, SIM number, and device ID)\r\nhttps://blog.lookout.com/xrat-mobile-threat\r\nPage 1 of 7\n\nText messages\r\nContacts\r\nCall logs\r\nData from QQ and WeChat\r\nWifi access points a device has connected to and the associated passwords\r\nEmail database and any email account username / passwords\r\nDevice geolocation\r\nInstalled apps, identifying both user and system applications\r\nSIM Card information\r\nProvide a remote attacker with a shell\r\nDownload attacker specified files and save them to specified locations\r\nDelete attacker specified files or recursively delete specified directories\r\nEnable airplane mode\r\nList all files and directories on external storage\r\nList the contents of attacker specified directories\r\nAutomatically retrieve files that are of an attacker specified type that are between a minimum and\r\nmaximum size\r\nSearch external storage for a file with a specific MD5 hash and, if identified, retrieve it\r\nUpload attacker specified files to C2 infrastructure\r\nMake a call out to an attacker specified number\r\nRecord audio and write it directly to an already established command and control network socket\r\nExecutes attacker specified command as the root user\r\nInstructs an infected device to repeatedly download, and then delete, large files - exhausting a user's mobile\r\ndata.\r\nxRAT runs a suicide function to avoid detection\r\nxRAT also contains suicide functionality. When triggered, xRAT will clean out its installation directory before\r\nissuing a package manager command to uninstall itself. The developers behind xRAT created an alert system,\r\nflagging to the malware operator if any of the following antivirus applications are present on a compromised\r\ndevice.\r\n管家 (housekeeper)\r\n安全 (safety)\r\n权限 (Authority)\r\n卫士 (Guardian)\r\n清理 (Cleanup)\r\n杀毒 (Antivirus)\r\nDefender\r\nSecurity\r\nhttps://blog.lookout.com/xrat-mobile-threat\r\nPage 2 of 7\n\nOur analysis found xRAT contains a robust file deletion module, capable of removing large portions of a device or\r\nattacker-specified files. xRAT can be remotely instructed to perform the following deletion operations:\r\nRemove images from certain directories on the SDCard\r\nRemove audio files from certain directories on the SDCard\r\nWipe a device, removing large portions; including all files from the SDCard, all apps and data that exists\r\nunder the path /data/data/, and all system apps installed under the path /system/app/.\r\nRemove specific input method editors (IME). This includes\r\ncom.htc.android.htcime,\r\nHTC_IME.apk, com.samsung.inputmethod,\r\nSamsungChineseIME.apk,\r\ncom.tencent.qqpinyin,\r\ncom.sohu.inputmethod.sogou,\r\ncom.iflytek.inputmethod,\r\ncom.google.android.inputmethod.pinyin, com.tencent.qqpinyin-1.apk,\r\ncom.sohu.inputmethod.sogou-1.apk,\r\ncom.google.android.inputmethod.pinyin-1.app,\r\ncom.iflytek.inputmethod-1.apk, and\r\nother generic instances of IME apps.\r\nRemoves messaging applications from a compromised device. This includes\r\ncom.tencent.mm,\r\nim.yixin, com.tencent.mobileqq,\r\ncom.whatsapp, and\r\nother messaging applications that may have a similar package name.\r\nThese features further highlight the considerable amount of control xRAT operators have over a compromised\r\nphone, allowing it to evade detection by covering its tracks and deleting entire sections of a device.\r\nCommand and control infrastructure\r\nThe majority of command and control servers used by xRAT in the past have been based in China with some\r\nappearing in Hong Kong. After analyzing recently acquired samples, we further identified attacker infrastructure\r\non the East Coast of the United States. This may indicate an expansion in deployment from the actor behind this\r\nfamily as they've previously used servers geographically close to regions where their tooling is being deployed.\r\nhttps://blog.lookout.com/xrat-mobile-threat\r\nPage 3 of 7\n\nInterestingly, the adversary infrastructure has Windows malware associated to it. One particular malicious\r\nexecutable is named MyExam, indicating that the actors behind this family may be continuing to target students,\r\nsimilar to how attackers used mRAT during the protests in 2014.\r\nhttps://blog.lookout.com/xrat-mobile-threat\r\nPage 4 of 7\n\nData compromise via xRAT highlights valuable data on mobile devices\r\nxRAT appears to specifically target political groups, but it's also a good example of how much data can be\r\ncompromised via a mobile device.\r\nEnterprises must be prepared for these types of threats that compromise contacts, messaging app conversations,\r\nemail, Wi-Fi passwords, SIM card information, audio, and text messages. Data compromise via mobile presents a\r\nsignificant risk to company-confidential data, and can risk an enterprise's compliance standing, potentially\r\nresulting in hefty fines.\r\nThis is particularly concerning for businesses who will be subject to GDPR come May 2018, which demands\r\nenterprises protect personal information for anyone it interacts with or sends to the European Union. Enterprises\r\nshould invest in a mobile threat detection solution to complement EMM/MDM technologies, providing invaluable\r\nvisibility into threats and risks to enterprise data via mobile devices.\r\nLookout is continuing to investigate the actor behind xRAT, its supporting infrastructure, and the evolving\r\ncapabilities of the surveillanceware itself.\r\nhttps://blog.lookout.com/xrat-mobile-threat\r\nPage 5 of 7\n\nInterested in learning more about our Threat Intelligence service or how a threat like xRAT could impact your\r\nenterprise? Contact us today.\r\nSHA-1s\r\n0a58d677ad5fc1562b6ceb6395cfb7b819cc511f\r\n20e9b876c2d4253ce61bff01ae364c06b7fa61f4\r\n655599f68ec019d3ad8c2d66283958e2dd1e3b9d\r\ncd20dcd07278714083c757aa07db3a6f663a0b36\r\n9e71b0d6bc2b6ffe6f5774b5218de710cee7fe7a\r\n701fe85b177b9eba92e1c7e99e64381d950a7b62\r\ncd1f88caeb30e3f4b0467093175c952fbd433872\r\ne9fc56c772a70002358c78bc65ba0c0cc0f70447\r\n585fc6502ed786db13a7afff8ba61e2eed8e26b9\r\n979da00fe2986a0cbc12b60a9419232ab1bf7218\r\n2125c20ffd03eff2be2c46dfdd8a2092b73e5766\r\n35eb14fca9dd8f95c0b8c416d2d4191388d40e01\r\n26325f1e6066e1069d88ca570116bb8bac311a23\r\n0aed0f17af2998593b08dad254d3c01dfc6d4d8e\r\n6836826b47fcc0c0128ed35c8e546d7c1f7076bd\r\ndac7a2baa45e47e251ffe5446228914141edd077\r\neea40659209a2df7fb4106e9040fe4931c1da3cc\r\naaaab3bed79ce615de0e22576e6118cd2d5f624d\r\nfc583449a9da921995a909bb78a29c794af2fa37\r\nf006fb13d238a7f39e7cf7fe4521a79664cf8a4a\r\nMichael Flossman\r\nHead of Threat Intelligence\r\nMichael is Head of Threat Intelligence at Lookout where he works on reverse engineering sophisticated mobile\r\nthreats while tracking their evolution, the campaigns they are used in, and the actors behind them. He has hands-on experience in vulnerability research, incident response, security assessments, pen-testing, reverse engineering\r\nand the prototyping of automated analysis solutions. When not analysing malware there’s a good chance he’s off\r\nsnowboarding, diving, or looking for flaws in popular mobile apps.\r\nhttps://blog.lookout.com/xrat-mobile-threat\r\nPage 6 of 7\n\nSource: https://blog.lookout.com/xrat-mobile-threat\r\nhttps://blog.lookout.com/xrat-mobile-threat\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.lookout.com/xrat-mobile-threat"
	],
	"report_names": [
		"xrat-mobile-threat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434605,
	"ts_updated_at": 1775791237,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/da6e469a9f3de0f24dccf3b92e45c176de628cee.pdf",
		"text": "https://archive.orkl.eu/da6e469a9f3de0f24dccf3b92e45c176de628cee.txt",
		"img": "https://archive.orkl.eu/da6e469a9f3de0f24dccf3b92e45c176de628cee.jpg"
	}
}