Android surveillance software attributed to Chinese group APT41 has recently been discovered, according to experts at Lookout. Attacks by hacker groups like APT41, which focus on mobile devices, show that mobile endpoints are high-value targets with coveted data.
WyrmSpy and DragonEgg are the two new dangerous variants of Android surveillance software discovered by Lookout. These spy apps are attributed to the well-known Chinese threat group APT41. Although the US government has filed multiple indictments over the group's attacks on more than 100 private and public companies in the US and around the world, their tactics have extended to mobile devices as well. Lookout Mobile Endpoint Security customers are protected from these threats.
Chinese APT41: State-sponsored spy group
APT41, also known as Double Dragon, BARIUM, and Winnti, is a state-sponsored spy group active since 2012. In August 2019 and August 2020, five of their hackers were indicted by a federal jury in Washington, DC for a computer intrusion campaign that affected dozens of companies in the US and abroad. These included software development companies, computer hardware manufacturers, telecom providers, social media companies, video game companies, non-profit organizations, universities, think tanks, foreign governments, and pro-democracy politicians and activists in Hong Kong.
An established threat actor like APT 41, known for exploiting web applications and infiltrating traditional endpoints, is adding mobile devices to its malware arsenal. This shows that mobile devices are high-value targets with coveted corporate and personal data.
The most important thing about this current discovery
- Both WyrmSpy and DragonEgg have sophisticated data collection and exfiltration capabilities. Lookout researchers believe they are distributed to victims via social engineering campaigns.
- Both use modules to hide their malicious intent and avoid detection.
- WyrmSpy is capable of collecting a variety of data from infected devices, including log files, photos, device location, SMS messages, and audio recordings. It primarily disguises itself as a standard Android system application that displays notifications to the user. Later variants also packaged the malware in apps masquerading as adult video content, the Baidu Waimai food delivery platform, and Adobe Flash.
- DragonEgg has been observed in apps masquerading as third-party Android keyboards and messaging apps like Telegram.
Advanced Android Malware Threat
"The discovery of WyrmSpy and DragonEgg is an indication of the growing threat of advanced Android malware," said Kristina Balaam, Senior Threat Researcher, Lookout collect devices. We urge Android users to be aware of the threat and to take steps to protect their devices, their work, and their personal information."
Researchers at Lookout Threat Labs have been actively tracking the spyware since 2020 and are providing information to Lookout Mobile Endpoint Security customers. The Lookout Security Graph leverages the machine intelligence of more than 215 million devices and 190 million apps, capturing 4,5 million URLs daily. Lookout protects its customers from phishing, app, device, and network threats while respecting user privacy.
More at Lookout.com
About Lookout Lookout co-founders John Hering, Kevin Mahaffey, and James Burgess came together in 2007 with the goal of protecting people from the security and privacy risks posed by an increasingly connected world. Even before smartphones were in everyone's pocket, they realized that mobility would have a profound impact on the way we work and live.