Lookout said, “Known to exploit web-facing applications and infiltrate traditional endpoint devices, for an established threat actor like APT41 to include mobile in its arsenal, it shows how mobile endpoints are becoming a threat to reputable corporate and place high value with personal data.” They are the target.” In a report shared with The Hacker News.
APT41, also tracked under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda and Winnti, is believed to have been operating for the purpose of stealing intellectual property since at least 2007 doing work. Targets a wide range of industries.
An open-source raid teaming tool called Google Command and Control (GC2) has been leveraged in recent attacks by the rival group as part of targeted attacks on media and job platforms in Taiwan and Italy.
The initial intrusion vector for the mobile surveillanceware campaign is not known, although it is suspected to have involved the use of social engineering. Lookout said it first detected WyrmSpy in early 2017 and DragonEgg in early 2021, with new samples of the latter being observed as recently as April 2023.
WyrmSpy mainly comes across as a default system app which is used to display notifications to the user. However, later variants packaged the malware into apps posing as adult video content, Baidu Weimai, and Adobe Flash. On the other hand, DragonEgg is distributed as a third-party Android keyboard and messaging app, like Telegram.
There is no evidence that these rogue apps were promoted through the Google Play Store.
WyrmSpy and DragonEgg’s connection to APT41 originates from the use of a command-and-serve server (C2) with the IP address 121.42.149[.]52, which is located on a previously identified domain (“vpn2.umisen[.]com ” is located on. ) solves. As linked to the infrastructure of the group.
Once installed, both types of malware request intrusive permissions and are equipped with sophisticated data collection and intrusion capabilities, collecting users’ photos, locations, SMS messages and audio recordings.
It has also been observed that the malware relies on modules that are downloaded from the now-offline C2 servers after the installation of the app to facilitate data collection, as well as to avoid detection.
WyrmSpy, on its part, is able to disable Security-Enhanced Linux (SELinux), a security feature in Android, and can use rooting tools such as KingRoot11 to gain elevated privileges on compromised handsets. A notable feature of DragonEgg is that it establishes contact with a C2 server to fetch an unknown tertiary module which turns out to be a forensics program.
“The discovery of WiremSpy and DragonEgg is a reminder of the growing threat posed by advanced Android malware,” said Christina Balam, senior threat researcher at Lookout. “These spyware packages are highly sophisticated and can be used to collect detailed data from infected devices.”
The findings come as Mandiant revealed evolving tactics being adopted by Chinese spy groups to fly under the radar, including weaponizing networking equipment and virtualization software, intercepting traffic between C2 infrastructure and victim environments is included. To do this involves employing botnets and tunneling malicious traffic inside victim networks through compromise.
The Google-owned threat intelligence firm said, “The use of botnets, proxying traffic over a compromised network, and targeting edge devices are not new tactics, nor are they unique to Chinese cyber espionage actors. ” “However, over the past decade, we have tracked the use of these and other tactics by Chinese cyber espionage actors as part of a broader evolution toward more purposeful, covert and effective operations.”