Saturday, January 11, 2025
HomeAndroidNew Chinese Surveillance Tool Attack Android Users Since 2017

New Chinese Surveillance Tool Attack Android Users Since 2017

Published on

Wuhan Chinasoft Token Information Technology Co., Ltd. developed EagleMsgSpy, a surveillance tool operational since 2017, which, installed as an APK, secretly collects extensive user data, including chat messages, screen recordings, audio, call logs, contacts, SMS, location, and network activity. 

Because the data is sent to a command-and-control server, there is a possibility that it could be misused for the purposes of information gathering.

It developed EagleMsgSpy, a surveillance tool operational since 2017, which requires physical access to a device to install a stealthy surveillance module that collects sensitive user data. 

the installer presents the user with multiple options
the installer presents the user with multiple options

The installer, likely used by law enforcement, offers multiple installation options and requires a “channel” or “account” input, suggesting multiple customers, where the tool’s ongoing development and increasing sophistication in obfuscation and encryption highlight its active maintenance and efforts to evade detection. 

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

EagleMsgSpy, a surveillance tool, leverages Notification Listener and Accessibility Services to monitor device activity and intercept messages from popular platforms like QQ, Telegram, Viber, WhatsApp, and WeChat. 

It captures screen recordings, screenshots, audio, call logs, contacts, SMS, GPS location, network details, and file system information, while collected data is stored locally, compressed, encrypted, and exfiltrated to a C2 server. 

A surveillance tool with a web-based administrative panel, which is implemented using AngularJS and provides features for managing and monitoring devices. 

An introduction page summarizes the EagleMsgSpy client’s capabilities and use cases. 
An introduction page summarizes the EagleMsgSpy client’s capabilities and use cases. 

While the panel’s source code is partially accessible, it reveals functions specific to iOS devices, suggesting the existence of an iOS version of the surveillance tool and user manuals for both the admin panel and the surveillance client have been discovered, further confirming the tool’s capabilities and potential widespread deployment. 

The manual reveals that EagleMsgSpy is a sophisticated surveillance tool designed for judicial monitoring, which can be remotely installed on target devices without user knowledge and collects a wide range of sensitive data, including contacts, messages, call logs, location, and media. 

admin panel allows users to trigger real-time audio recordings on the device
admin panel allows users to trigger real-time audio recordings on the device

It allows administrators to remotely control the device, capturing real-time data, blocking communications, and even triggering camera and microphone functions, as the manual provides detailed instructions on how to install the surveillance client and analyze the collected data through a web-based interface.

The attribution is based on multiple factors: IP address overlap with company-associated domains, references to the company’s domain within the malware’s code, GPS coordinates linking to the company’s office, and corporate documents aligning with the malware’s development timeline and scale. 

A document announcing the Shilou County Public Security Bureau’s request for the development of a Stability Maintenance Judgement System.
A document announcing the Shilou County Public Security Bureau’s request for the development of a Stability Maintenance Judgement System.

Lookout analysis of EagleMsgSpy command-and-control (C2) infrastructure revealed connections to public security bureaus in China, which include shared IP addresses with government websites of bureaus like Yantai and Dengfeng and SSL certificates used by both EagleMsgSpy and known bureau websites. 

Publicly available requests for proposals (CFPs) from bureaus mention similar “Stability Maintenance Judgement Systems,” suggesting EagleMsgSpy is a common tool among them. 

While shared SSL certificates link EagleMsgSpy to other Chinese surveillanceware like PluginPhantom and CarbonSteal, previously used in targeted campaigns against minorities.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

 

Latest articles

QSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

The QSC Loader service DLL named "loader.dll" leverages two distinct methods to obtain the...

Weaponized LDAP Exploit Deploys Information-Stealing Malware

Cybercriminals are exploiting the recent critical LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113) by distributing fake...

New NonEuclid RAT Evades Antivirus and Encrypts Critical Files

A NonEuclid sophisticated C# Remote Access Trojan (RAT) designed for the.NET Framework 4.8 has...

Hackers Targeting Users Who Lodged Complaints On Government portal To Steal Credit Card Data

Fraudsters in the Middle East are exploiting a vulnerability in the government services portal....

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

QSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

The QSC Loader service DLL named "loader.dll" leverages two distinct methods to obtain the...

Weaponized LDAP Exploit Deploys Information-Stealing Malware

Cybercriminals are exploiting the recent critical LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113) by distributing fake...

New NonEuclid RAT Evades Antivirus and Encrypts Critical Files

A NonEuclid sophisticated C# Remote Access Trojan (RAT) designed for the.NET Framework 4.8 has...