HQ/EMEAFind out how we can help your business
The previously undocumented Android malware dubbed EagleMsgSpy has been the primary weapon used by alleged Chinese law enforcement organisations to monitor smartphones secretly.
The researchers who discovered the activity provide extensive evidence linking EagleMsgSpy to its developers and operators. Some proofs include IP addresses associated with C2 servers, domains, direct references in internal documents, and public contracts.
In addition, a follow-up assessment of the malware showed that the spyware could have an existing iOS variant for Apple products. However, they have yet to obtain a sample for analysis.
EagleMsgSpy is a spyware that exceeds the capabilities of other common malware strains.
Chinese law enforcement is the alleged operator of the EagleMsgSpy Android malware. These authorities may have planted the spyware on confiscated smartphones during arrests and returned it to its owners after the implant.
Additional proof of these speculations is that the researchers have yet to identify the malware’s installer APK on Google Play or any third-party app stores, implying that it is only deployed by a small group of operators.
Subsequent versions of the malware analysed by analysts feature improved code obfuscation and encryption, indicating that it is still evolving.
The spyware’s targeted apps and software include messages from chat applications such as QQ, Telegram, WhatsApp, etc., screen recordings, screenshots, and audio recordings.
Furthermore, the spyware harvests information such as call logs, contacts, SMS messages, location (GPS), network activity, installed applications, browser bookmarks, and external storage files.
The malware will keep the stolen data in a secret directory for the exfiltration process, then encrypt, compress, and transmit them to C2 servers. The researchers claimed the malware has an admin panel titled “Stability Maintenance Judgment System.”
The panel enables remote operators to initiate real-time tasks such as audio recording or visualising the geographical distribution and communication exchange of the target’s connections.
Researchers are confident that Wuhan Chinasoft Token Information Technology developed this new Android spyware that benefits the Chinese authorities. The malware’s assessment shows potential links to the company since its infrastructure overlaps and it has internal documentation.
