Chinese Threat Actor Targets Mobile Devices with New Spyware
The highly active nation-state group known as APT41 has been associated with two previously unknown types of Android spyware called WyrmSpy and DragonEgg.
APT41, also known as Axiom, Blackfly, Brass Typhoon, Bronze Atlas, HOODOO, Wicked Panda, and Winnti, has been operating since at least 2007 and has targeted various industries for intellectual property theft.
Recently, APT41 utilized an open-source red teaming tool called Google Command and Control (GC2) in attacks on media and job platforms in Taiwan and Italy.
Infection Vector Likely Based on Social Engineering Tricks
The initial method of intrusion for the mobile surveillanceware campaign is unclear but is suspected to involve social engineering tactics. WyrmSpy was initially detected in 2017, while DragonEgg was first identified in early 2021, with new samples of the latter discovered as recently as April 2023.
WyrmSpy often disguises itself as a default system app responsible for displaying notifications. However, later versions of the malware have been packaged as apps impersonating adult video content, Baidu Waimai, and Adobe Flash. DragonEgg, on the other hand, has been distributed through third-party Android keyboards and messaging apps like Telegram.
There is no evidence that these malicious apps were distributed through the official Google Play Store.
The connection between WyrmSpy, DragonEgg, and APT41 stems from the use of a command-and-control (C2) server with the IP address 121.42.149[.]52, associated with the group's infrastructure.
Once installed, both strains of malware request intrusive permissions and possess advanced data collection and exfiltration capabilities, including gathering users' photos, locations, SMS messages, and audio recordings.
The malware also utilizes modules downloaded from a C2 server that is no longer operational, enabling data collection while evading detection.
WyrmSpy has the ability to disable Security-Enhanced Linux (SELinux) and utilize rooting tools like KingRoot11 to gain elevated privileges on compromised devices. Notably, DragonEgg establishes communication with the C2 server to retrieve an unknown secondary module that masquerades as a forensic program.