A sophisticated surveillance tool has been discovered believed to be employed by Chinese police departments for lawful intercept operations.
Dubbed ‘EagleMsgSpy’, an Android-based tool has been in operation since at least 2017 and was recently flagged through artifacts uploaded to the VirusTotal malware scanning platform as recently as September 25, 2024.
Developed by Wuhan Chinasoft Token Information Technology EagleMsgSpy is reportedly utilized by public security bureaus across mainland China.
The tool comprises two primary components: an installer APK and a surveillance client that operates headlessly on compromised devices. Once installed, the software enables extensive data collection, including messages from third-party chat apps, screen recordings and screenshots, audio recordings, call logs, contacts, SMS messages, geolocation data, network activity.
The collected data is stored temporarily in a hidden directory on the infected device, where it is compressed and password-protected before being exfiltrated to a command-and-control (C2) server. The C2 infrastructure includes an administrative panel implemented using AngularJS. Despite routing and authentication measures, Lookout researchers were able to access portions of the panel’s source code.
The source code analysis revealed possible existence of an iOS variant of EagleMsgSpy, however, researchers have yet to locate any iOS samples.
Infrastructure overlaps and artifacts from open command-and-control directories link EagleMsgSpy to earlier Chinese surveillance tools. For instance, PluginPhantom, a known surveillance tool used in campaigns by Chinese advanced persistent threat (APT) groups has been observed sharing SSL certificates with EagleMsgSpy servers. Another surveillance tool called CarbonSteal attributed to Chinese APTs has been observed communicating with IP addresses tied to EagleMsgSpy infrastructure.