Android Spyware EagleMsgSpy
Cybersecurity researchers have revealed that law enforcement agencies in China are using an Android spyware called ‘EagleMsgSpy‘ to monitor mobile devices in the country. According to a new report by cybersecurity platform Lookout, the spyware was developed by Wuhan Chinasoft Token Information Technology and has been operational since 2017.
The report said that EagleMsgSpy collects extensive data from the user — third-party chat messages, screen recording and screenshot capture, audio recordings, call logs, device contacts, SMS messages, location data, and network activity.
As per BleepingComputer, Lookout has substantial evidence connecting EagleMsgSpy to its developers and operators. This includes IP addresses linked to command-and-control servers, domains, internal documentation references, and public contracts.
Researchers also suspect an iOS version exists but haven’t obtained a sample for analysis yet.
The cybersecurity platform believes that law enforcement manually installs the EagleMsgSpy spyware when they have physical access to unlocked devices. This could be achieved by confiscating the device during arrests.
Lookout has not seen the installer APK on Google Play or any third-party app stores, so the spyware is presumably only distributed by a small circle of operators. The report also suggests that this surveillance tool is likely used by multiple customers of the software vendor.
The surveillance payload collects an extensive amount of data about the victim device:
– Collects all messages from QQ, Telegram, Viber, WhatsApp and WeChat
– Initiates screen recording of the device through the Media Projection service
– Captures screenshots
– Captures audio recordings of the device while in use
– Collects call logs
– Collects device contacts
– Collects SMS messages
– Compiles a list of installed applications on the device
– Retrieves GPS coordinates
– Details wifi and network connections
– Compiles a list of files in external storage
– Collects bookmarks from the device browser
“After data is collected, it is stored in a staging area in a hidden directory of the file system of the device for eventual exfiltration. The data files are then compressed and password protected before being sent to the command-and-control (C2) server,” the report said.