Similarities between DragonEgg Android spyware, LightSpy iOS surveillance tool examined

Recently identified Android spyware DragonEgg previously linked to Chinese state-sponsored threat operation APT41 has been associated with the iOS surveillance tool LightSpy due to similar configuration patterns, command-and-control server communications, and runtime structure and plugins, The Hacker News reports. Attack chains of both DragonEgg and LightSpy involved a trojanized Telegram app tasked to deploy a second-stage payload that would prompt the installation of the "Core" module, which has device fingerprint collection, remote server communication, and self-updating capabilities, according to a ThreatFabric report. LightSpy was also found to have the same C2 infrastructure as DragonEgg and the WymSpy malware, also known as AndroidControl. "The way the threat actor group distributed the initial malicious stage inside popular messenger was a clever trick. There were several benefits of that: the implant inherited all the access permissions that the carrier application had. In the case of messenger, there were a lot of private permissions such as camera and storage access," said ThreatFabric.