New Chinese Surveillance Tool Attack Android Users Since 2017

Wuhan Chinasoft Token Information Technology Co., Ltd. developed EagleMsgSpy, a surveillance tool operational since 2017, which, installed as an APK, secretly collects extensive user data, including chat messages, screen recordings, audio, call logs, contacts, SMS, location, and network activity. 

Because the data is sent to a command-and-control server, there is a possibility that it could be misused for the purposes of information gathering.

It developed EagleMsgSpy, a surveillance tool operational since 2017, which requires physical access to a device to install a stealthy surveillance module that collects sensitive user data. 

The installer, likely used by law enforcement, offers multiple installation options and requires a “channel” or “account” input, suggesting multiple customers, where the tool’s ongoing development and increasing sophistication in obfuscation and encryption highlight its active maintenance and efforts to evade detection. 

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

EagleMsgSpy, a surveillance tool, leverages Notification Listener and Accessibility Services to monitor device activity and intercept messages from popular platforms like QQ, Telegram, Viber, WhatsApp, and WeChat. 

It captures screen recordings, screenshots, audio, call logs, contacts, SMS, GPS location, network details, and file system information, while collected data is stored locally, compressed, encrypted, and exfiltrated to a C2 server. 

A surveillance tool with a web-based administrative panel, which is implemented using AngularJS and provides features for managing and monitoring devices. 

While the panel’s source code is partially accessible, it reveals functions specific to iOS devices, suggesting the existence of an iOS version of the surveillance tool and user manuals for both the admin panel and the surveillance client have been discovered, further confirming the tool’s capabilities and potential widespread deployment. 

The manual reveals that EagleMsgSpy is a sophisticated surveillance tool designed for judicial monitoring, which can be remotely installed on target devices without user knowledge and collects a wide range of sensitive data, including contacts, messages, call logs, location, and media. 

It allows administrators to remotely control the device, capturing real-time data, blocking communications, and even triggering camera and microphone functions, as the manual provides detailed instructions on how to install the surveillance client and analyze the collected data through a web-based interface.

The attribution is based on multiple factors: IP address overlap with company-associated domains, references to the company’s domain within the malware’s code, GPS coordinates linking to the company’s office, and corporate documents aligning with the malware’s development timeline and scale. 

Lookout analysis of EagleMsgSpy command-and-control (C2) infrastructure revealed connections to public security bureaus in China, which include shared IP addresses with government websites of bureaus like Yantai and Dengfeng and SSL certificates used by both EagleMsgSpy and known bureau websites. 

Publicly available requests for proposals (CFPs) from bureaus mention similar “Stability Maintenance Judgement Systems,” suggesting EagleMsgSpy is a common tool among them. 

While shared SSL certificates link EagleMsgSpy to other Chinese surveillanceware like PluginPhantom and CarbonSteal, previously used in targeted campaigns against minorities.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free