Tuesday, January 14, 2025
HomeAndroidNew Chinese Surveillance Tool Attack Android Users Since 2017

New Chinese Surveillance Tool Attack Android Users Since 2017

Published on

Wuhan Chinasoft Token Information Technology Co., Ltd. developed EagleMsgSpy, a surveillance tool operational since 2017, which, installed as an APK, secretly collects extensive user data, including chat messages, screen recordings, audio, call logs, contacts, SMS, location, and network activity. 

Because the data is sent to a command-and-control server, there is a possibility that it could be misused for the purposes of information gathering.

It developed EagleMsgSpy, a surveillance tool operational since 2017, which requires physical access to a device to install a stealthy surveillance module that collects sensitive user data. 

the installer presents the user with multiple options
the installer presents the user with multiple options

The installer, likely used by law enforcement, offers multiple installation options and requires a “channel” or “account” input, suggesting multiple customers, where the tool’s ongoing development and increasing sophistication in obfuscation and encryption highlight its active maintenance and efforts to evade detection. 

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

EagleMsgSpy, a surveillance tool, leverages Notification Listener and Accessibility Services to monitor device activity and intercept messages from popular platforms like QQ, Telegram, Viber, WhatsApp, and WeChat. 

It captures screen recordings, screenshots, audio, call logs, contacts, SMS, GPS location, network details, and file system information, while collected data is stored locally, compressed, encrypted, and exfiltrated to a C2 server. 

A surveillance tool with a web-based administrative panel, which is implemented using AngularJS and provides features for managing and monitoring devices. 

An introduction page summarizes the EagleMsgSpy client’s capabilities and use cases. 
An introduction page summarizes the EagleMsgSpy client’s capabilities and use cases. 

While the panel’s source code is partially accessible, it reveals functions specific to iOS devices, suggesting the existence of an iOS version of the surveillance tool and user manuals for both the admin panel and the surveillance client have been discovered, further confirming the tool’s capabilities and potential widespread deployment. 

The manual reveals that EagleMsgSpy is a sophisticated surveillance tool designed for judicial monitoring, which can be remotely installed on target devices without user knowledge and collects a wide range of sensitive data, including contacts, messages, call logs, location, and media. 

admin panel allows users to trigger real-time audio recordings on the device
admin panel allows users to trigger real-time audio recordings on the device

It allows administrators to remotely control the device, capturing real-time data, blocking communications, and even triggering camera and microphone functions, as the manual provides detailed instructions on how to install the surveillance client and analyze the collected data through a web-based interface.

The attribution is based on multiple factors: IP address overlap with company-associated domains, references to the company’s domain within the malware’s code, GPS coordinates linking to the company’s office, and corporate documents aligning with the malware’s development timeline and scale. 

A document announcing the Shilou County Public Security Bureau’s request for the development of a Stability Maintenance Judgement System.
A document announcing the Shilou County Public Security Bureau’s request for the development of a Stability Maintenance Judgement System.

Lookout analysis of EagleMsgSpy command-and-control (C2) infrastructure revealed connections to public security bureaus in China, which include shared IP addresses with government websites of bureaus like Yantai and Dengfeng and SSL certificates used by both EagleMsgSpy and known bureau websites. 

Publicly available requests for proposals (CFPs) from bureaus mention similar “Stability Maintenance Judgement Systems,” suggesting EagleMsgSpy is a common tool among them. 

While shared SSL certificates link EagleMsgSpy to other Chinese surveillanceware like PluginPhantom and CarbonSteal, previously used in targeted campaigns against minorities.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

 

Latest articles

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google’s “Sign in with Google” Flaw Exposes Millions of Users’ Details

A critical flaw in Google's "Sign in with Google" authentication system has left millions...

Hackers Attacking Internet Connected Fortinet Firewalls Using Zero-Day Vulnerability

A widespread campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the...

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...