The notorious Chinese nation-state actor, APT41, associated with China, has been linked to two previously unreported strains of Android spyware, named WyrmSpy and DragonEgg.
“Given APT41’s history of exploiting web-facing applications and infiltrating traditional endpoint devices, the inclusion of mobile malware in its arsenal of threats is a testament to the high value of mobile endpoints containing sought-after corporate and personal data,” stated Lookout in a report shared with The Hacker News.
APT41, also tracked under names such as Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, has been operational since at least 2007. The group is notorious for targeting diverse industries to commit intellectual property theft.
Recent onslaughts perpetrated by this adversary group have utilized an open-source red teaming tool named Google Command and Control (GC2), aiming their attacks at media and job platforms in Taiwan and Italy.
The initial intrusion method for the mobile surveillanceware campaign remains unclear, although it’s suspected to involve social engineering tactics. Lookout revealed that it first detected WyrmSpy as early as 2017 and DragonEgg at the beginning of 2021, with new samples of the latter discovered as recently as April 2023.
WyrmSpy chiefly disguises itself as a default system app used to display notifications to the user. However, later versions have packaged the malware into apps that mimic adult video content, Baidu Waimai, and Adobe Flash. In contrast, DragonEgg has been distributed through third-party Android keyboards and messaging apps like Telegram.
No evidence suggests that these malicious apps were spread through the Google Play Store.
The links between WyrmSpy, DragonEgg, and APT41 arise from the use of a command-and-server (C2) with the IP address 121.42.149[.]52. This IP address resolves to a domain (“vpn2.umisen[.]com”) previously identified as associated with the group’s infrastructure.
Upon installation, both malware strains request intrusive permissions and are equipped with advanced data collection and exfiltration capabilities, gathering users’ photos, locations, SMS messages, and audio recordings.
The malware also utilizes modules downloaded from a now-inactive C2 server post-app installation to facilitate data collection, all the while avoiding detection.
WyrmSpy has the capability to disable Security-Enhanced Linux (SELinux), an Android security feature, and employ rooting tools like KingRoot11 to gain heightened privileges on the compromised devices. A notable aspect of DragonEgg is its contact establishment with the C2 server to fetch an unidentified tertiary module that masquerades as a forensics program.
“The unearthing of WyrmSpy and DragonEgg serves as a reminder of the escalating threat posed by advanced Android malware,” said Kristina Balaam, a senior threat researcher at Lookout. “These spyware packages are highly sophisticated and can collect a wide array of data from the infected devices.”
These findings coincide with Mandiant’s disclosure of the evolving tactics used by Chinese espionage groups to stay unnoticed, such as weaponizing networking devices and virtualization software, utilizing botnets to conceal traffic between C2 infrastructure and victim environments, and tunneling malicious traffic within victim networks through compromised systems.
“Employing botnets, proxying traffic in a compromised network, and targeting edge devices aren’t new tactics, nor are they exclusive to Chinese cyber espionage actors,” the Google-owned threat intelligence firm mentioned. “However, over the past decade, we have observed Chinese cyber espionage actors’ use of these and other tactics as part of a broader shift toward more deliberate, covert, and effective operations.”