Malware, Threat Intelligence, Endpoint/Device Security

China using ‘EagleMsgSpy’ malware to tap Android devices

China Flag Made of Binary Code and Chinese Symbols on Red Backgr

(Adobe Stock)

China appears to be merging its government and malware operations to create a new surveillance platform for Android devices.

The malware, dubbed "EagleMsgSpy" by the research team at security vendor Lookout, shows significant overlap between the Chinese Communist Party’s law enforcement branch and its associated hacking operations.

“Lookout researchers have uncovered a novel surveillance family distributed by a Chinese threat actor with suspected use as a lawful intercept tool,” Lookout said in its report.

“This connection is tied to overlapping command and control (C2) infrastructure in use by both the malware and local security bureaus in mainland China.”

The malware is believed to have been in circulation since at least 2017.

Is developer of EagleMsgSpy malware China's version of the NSO Group?

According to the team at Lookout, EagleMsgSpy is particularly unique in its blend of private- and government-sector interests. The researchers traced the malware implants back to a small developer in Wuhan.

However, a quick look over the company’s product history shows that it specializes in developing forensics tools for law enforcement and government surveillance purposes. This would make the developer something like China’s equivalent to NSO Group and others who specialize in selling malware to government agencies under the banner of forensics and surveillance products.

“An early EagleMsgSpy variant from 2017 specifies a hardcoded C2, 221.0.90[.]53. This IP address was the resolving IP for two Chinese government websites during the time in which this EagleMsgSpy variant was packaged,” Lookout explained.

“This leads Lookout researchers to assess with moderate confidence that the tool is being used for lawful interception at one or more security bureau locations in mainland China.”

As with other Android-based malware products, the EagleMsgSpy first lands on the victim’s device as an otherwise benign app. When first installed the process identifies itself as "APKToolPlus" in an effort to conceal its true nature.

From there, the malware dials up one of a series of command-and-control servers located in mainland China (one additional server is housed in Japan) and then performs regular surveillance activities such as intercepting SMS messages and recording device browsing and communications.

Fortunately for international users, this particular malware package requires local access in order to install and execute. However, those who are traveling to mainland China or ordering dodgy handsets from Chinese vendors may want to keep a close eye on their devices and run a thorough security scan.

Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Related

VSCode Remote Tunnels exploited in suspected Chinese cyberespionage campaign

Threat actors behind the intrusions initially compromised internet-exposed apps and database servers with SQL injection before proceeding with PHPsert webshell distribution, reconnaissance, credential compromise, lateral movement, and custom Mimikatz injection for pass-the-hash intrusions, according to a joint report from SentinelOne SentinelLabs and Tinextra Cyber.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Account HarvestingBlack HatDNS SpoofingDisruptionDrive-by DownloadDumpster DivingEphemeral PortExtranetHybrid AttackReconnaissance

You can skip this ad in 5 seconds