12 December 2024

New EagleMsgSpy surveillance tool linked to Chinese authorities


New EagleMsgSpy surveillance tool linked to Chinese authorities

A sophisticated surveillance tool has been discovered believed to be employed by Chinese police departments for lawful intercept operations.

Dubbed ‘EagleMsgSpy’, an Android-based tool has been in operation since at least 2017 and was recently flagged through artifacts uploaded to the VirusTotal malware scanning platform as recently as September 25, 2024.

Developed by Wuhan Chinasoft Token Information Technology EagleMsgSpy is reportedly utilized by public security bureaus across mainland China.

The tool comprises two primary components: an installer APK and a surveillance client that operates headlessly on compromised devices. Once installed, the software enables extensive data collection, including messages from third-party chat apps, screen recordings and screenshots, audio recordings, call logs, contacts, SMS messages, geolocation data, network activity.

The collected data is stored temporarily in a hidden directory on the infected device, where it is compressed and password-protected before being exfiltrated to a command-and-control (C2) server. The C2 infrastructure includes an administrative panel implemented using AngularJS. Despite routing and authentication measures, Lookout researchers were able to access portions of the panel’s source code.

The source code analysis revealed possible existence of an iOS variant of EagleMsgSpy, however, researchers have yet to locate any iOS samples.

Infrastructure overlaps and artifacts from open command-and-control directories link EagleMsgSpy to earlier Chinese surveillance tools. For instance, PluginPhantom, a known surveillance tool used in campaigns by Chinese advanced persistent threat (APT) groups has been observed sharing SSL certificates with EagleMsgSpy servers. Another surveillance tool called CarbonSteal attributed to Chinese APTs has been observed communicating with IP addresses tied to EagleMsgSpy infrastructure.


Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025