December 11, 2024 at 04:06PM
A new Android spyware, EagleMsgSpy, developed by Wuhan Chinasoft Token, facilitates surveillance by Chinese law enforcement. Operational since 2017, it targets various data types, including messages and location. Evidence ties it to public security bureaus, suggesting systematic government use. An iOS version is suspected but unverified.
### Meeting Takeaways: EagleMsgSpy Discovery
**Overview:**
– A new Android spyware, ‘EagleMsgSpy,’ has been identified, believed to be utilized by Chinese law enforcement for mobile device surveillance since at least 2017.
**Key Points:**
1. **Developer Information:**
– EagleMsgSpy was developed by Wuhan Chinasoft Token Information Technology Co., Ltd.
– Evidence linking the spyware to the developers includes:
– IP addresses tied to command-and-control (C2) servers.
– Domains associated with the developer.
– Direct references in internal documentation and public contracts.
2. **Functionality and Distribution:**
– The spyware is manually installed on devices when law enforcement has physical access, often during arrests.
– No evidence of the installation APK being available on Google Play or other app stores suggests limited distribution.
3. **Capabilities:**
– Data theft activities include:
– Intercepting messages from popular chat apps (QQ, Telegram, WhatsApp).
– Screen recording, capturing screenshots, audio recordings.
– Accessing call logs, contacts, SMS messages.
– Gathering location data (GPS), network activity, and installed apps.
– Collecting browser bookmarks and files from external storage.
– Exfiltrated data is encrypted and temporarily stored in a hidden directory before being sent to C2 servers.
4. **Technical Insights:**
– Subsequent malware versions show improved code obfuscation and encryption, indicating continued development.
– An admin panel, referred to as the “Stability Maintenance Judgment System,” enables real-time monitoring and data collection activities for operators.
5. **Operator Details:**
– Analysis suggests that C2 servers are associated with public security bureaus, specifically mentioning the Yantai Public Security Bureau and others in Dengfeng and Guiyang.
– The name of the admin panel implies its use by government agencies or law enforcement.
**Conclusion:**
– Lookout’s findings imply significant implications for user privacy and security, especially in oppressive regimes. Further investigation into the potential iOS variant is necessary, as researchers have yet to obtain a sample for analysis.