Wednesday, February 12, 2025
HomeAndroidNew Chinese Surveillance Tool Attack Android Users Since 2017

New Chinese Surveillance Tool Attack Android Users Since 2017

Published on

SIEM as a Service

Follow Us on Google News

Wuhan Chinasoft Token Information Technology Co., Ltd. developed EagleMsgSpy, a surveillance tool operational since 2017, which, installed as an APK, secretly collects extensive user data, including chat messages, screen recordings, audio, call logs, contacts, SMS, location, and network activity. 

Because the data is sent to a command-and-control server, there is a possibility that it could be misused for the purposes of information gathering.

It developed EagleMsgSpy, a surveillance tool operational since 2017, which requires physical access to a device to install a stealthy surveillance module that collects sensitive user data. 

the installer presents the user with multiple options
the installer presents the user with multiple options

The installer, likely used by law enforcement, offers multiple installation options and requires a “channel” or “account” input, suggesting multiple customers, where the tool’s ongoing development and increasing sophistication in obfuscation and encryption highlight its active maintenance and efforts to evade detection. 

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

EagleMsgSpy, a surveillance tool, leverages Notification Listener and Accessibility Services to monitor device activity and intercept messages from popular platforms like QQ, Telegram, Viber, WhatsApp, and WeChat. 

It captures screen recordings, screenshots, audio, call logs, contacts, SMS, GPS location, network details, and file system information, while collected data is stored locally, compressed, encrypted, and exfiltrated to a C2 server. 

A surveillance tool with a web-based administrative panel, which is implemented using AngularJS and provides features for managing and monitoring devices. 

An introduction page summarizes the EagleMsgSpy client’s capabilities and use cases. 
An introduction page summarizes the EagleMsgSpy client’s capabilities and use cases. 

While the panel’s source code is partially accessible, it reveals functions specific to iOS devices, suggesting the existence of an iOS version of the surveillance tool and user manuals for both the admin panel and the surveillance client have been discovered, further confirming the tool’s capabilities and potential widespread deployment. 

The manual reveals that EagleMsgSpy is a sophisticated surveillance tool designed for judicial monitoring, which can be remotely installed on target devices without user knowledge and collects a wide range of sensitive data, including contacts, messages, call logs, location, and media. 

admin panel allows users to trigger real-time audio recordings on the device
admin panel allows users to trigger real-time audio recordings on the device

It allows administrators to remotely control the device, capturing real-time data, blocking communications, and even triggering camera and microphone functions, as the manual provides detailed instructions on how to install the surveillance client and analyze the collected data through a web-based interface.

The attribution is based on multiple factors: IP address overlap with company-associated domains, references to the company’s domain within the malware’s code, GPS coordinates linking to the company’s office, and corporate documents aligning with the malware’s development timeline and scale. 

A document announcing the Shilou County Public Security Bureau’s request for the development of a Stability Maintenance Judgement System.
A document announcing the Shilou County Public Security Bureau’s request for the development of a Stability Maintenance Judgement System.

Lookout analysis of EagleMsgSpy command-and-control (C2) infrastructure revealed connections to public security bureaus in China, which include shared IP addresses with government websites of bureaus like Yantai and Dengfeng and SSL certificates used by both EagleMsgSpy and known bureau websites. 

Publicly available requests for proposals (CFPs) from bureaus mention similar “Stability Maintenance Judgement Systems,” suggesting EagleMsgSpy is a common tool among them. 

While shared SSL certificates link EagleMsgSpy to other Chinese surveillanceware like PluginPhantom and CarbonSteal, previously used in targeted campaigns against minorities.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

 

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

FortiOS & FortiProxy Vulnerability Allows Attackers Firewall Hijacks to Gain Super Admin Access

A critical vulnerability in Fortinet's FortiOS and FortiProxy products has been identified, enabling attackers...

Fortinet’s FortiOS Vulnerabilities Allow Attackers Trigger RCE and Launch DoS Attack

Fortinet’s FortiOS, the operating system powering its VPN and firewall appliances, has been found...

0-Day Vulnerability in Windows Storage Allow Hackers to Delete the Target Files Remotely

A newly discovered 0-day vulnerability in Windows Storage has sent shockwaves through the cybersecurity...

Ratatouille Malware Bypass UAC Control & Exploits I2P Network to Launch Cyber Attacks

A newly discovered malware, dubbed "Ratatouille" (or I2PRAT), is raising alarms in the cybersecurity...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

FortiOS & FortiProxy Vulnerability Allows Attackers Firewall Hijacks to Gain Super Admin Access

A critical vulnerability in Fortinet's FortiOS and FortiProxy products has been identified, enabling attackers...

Fortinet’s FortiOS Vulnerabilities Allow Attackers Trigger RCE and Launch DoS Attack

Fortinet’s FortiOS, the operating system powering its VPN and firewall appliances, has been found...

0-Day Vulnerability in Windows Storage Allow Hackers to Delete the Target Files Remotely

A newly discovered 0-day vulnerability in Windows Storage has sent shockwaves through the cybersecurity...