The prolific China-related nation-state actor known as APT41 has been linked to two previously undocumented strains of Android spyware called WyrmSpy and DragonEgg.
“Known for their web-facing application exploits and traditional endpoint device infiltration, established threat actors such as APT 41 including mobile devices in their malware arsenal demonstrate how mobile endpoints are high-value targets with coveted corporate and personal data,” Lookout said in a report shared with The Hacker News.
APT41, also tracked under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, is known to be in operation since at least 2007, targeting a variety of industries to commit intellectual property theft.
Recent attacks carried out by adversary collectives have leveraged an open source red team tool known as Google Command and Control (GC2) as part of attacks aimed at media and jobs platforms in Taiwan and Italy.
The initial intrusion vector for the mobile surveillance device campaign is unknown, although it is suspected to involve the use of social engineering. Lookout says it first detected WyrmSpy in early 2017 and DragonEgg in early 2021, with new samples from the last seen as recently as April 2023.
WyrmSpy primarily disguises itself as a default system application which is used to show notifications to users. Later variants, however, have packaged malware into applications that masquerade as adult video content, Baidu Waimai, and Adobe Flash. On the other hand, DragonEgg has been distributed in the form of third-party Android keyboards and messaging applications such as Telegram.
There is no evidence that this malicious app is distributed through the Google Play Store.
WyrmSpy and DragonEgg’s connection to APT41 arose from using a command-and-server (C2) with IP address 121.42.149(.)52, which resolves to a domain (“vpn2.umisen(.)com”) previously identified as associated with the group’s infrastructure .
Once installed, both types of malware request intrusive permissions and are equipped with advanced data collection and exfiltration capabilities, harvesting photos, locations, SMS messages, and audio recordings of users.
The malware was also observed to rely on modules downloaded from C2 servers that are now offline after app installation to facilitate data collection, while avoiding detection.
WyrmSpy, for its part, is capable of disabling Security-Enhanced Linux (SELinux), a security feature in Android, and taking advantage of rooting tools such as KingRoot11 to gain elevated privileges on compromised handsets. An important feature of DragonEgg is that it establishes contact with the C2 server to retrieve unknown tertiary modules that work as forensic programs.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
“The findings of WyrmSpy and DragonEgg are a reminder of the growing threat posed by advanced Android malware,” said Kristina Balaam, senior threat researcher at Lookout. “These spyware packages are very sophisticated and can be used to collect all kinds of data from infected devices.”
The findings come as Mandiant discloses evolving tactics adopted by Chinese espionage crews to fly under the radar, including weaponizing network devices and virtualization software, using botnets to obfuscate traffic between C2’s infrastructure and victim environments, and digging malicious traffic inside. victim network through compromise. system.
“The use of botnets, proxies traffic on compromised networks, and targeting edge devices are not new tactics, nor are they unique to Chinese cyber espionagers,” said Google’s threat intelligence firm. “Over the past decade, however, we have tracked the use of these and other tactics by Chinese cyber espionage actors as part of a broader evolution towards more targeted, stealthy and effective operations.”