Chinese Threat Actor Targets Mobile Devices with New Spyware

The highly active nation-state group known as APT41 has been associated with two previously unknown types of Android spyware called WyrmSpy and DragonEgg.

APT41, also known as Axiom, Blackfly, Brass Typhoon, Bronze Atlas, HOODOO, Wicked Panda, and Winnti, has been operating since at least 2007 and has targeted various industries for intellectual property theft.

Recently, APT41 utilized an open-source red teaming tool called Google Command and Control (GC2) in attacks on media and job platforms in Taiwan and Italy.

Infection Vector Likely Based on Social Engineering Tricks

The initial method of intrusion for the mobile surveillanceware campaign is unclear but is suspected to involve social engineering tactics. WyrmSpy was initially detected in 2017, while DragonEgg was first identified in early 2021, with new samples of the latter discovered as recently as April 2023.

WyrmSpy often disguises itself as a default system app responsible for displaying notifications. However, later versions of the malware have been packaged as apps impersonating adult video content, Baidu Waimai, and Adobe Flash. DragonEgg, on the other hand, has been distributed through third-party Android keyboards and messaging apps like Telegram.

There is no evidence that these malicious apps were distributed through the official Google Play Store.

The connection between WyrmSpy, DragonEgg, and APT41 stems from the use of a command-and-control (C2) server with the IP address 121.42.149[.]52, associated with the group's infrastructure.

Once installed, both strains of malware request intrusive permissions and possess advanced data collection and exfiltration capabilities, including gathering users' photos, locations, SMS messages, and audio recordings.

The malware also utilizes modules downloaded from a C2 server that is no longer operational, enabling data collection while evading detection.

WyrmSpy has the ability to disable Security-Enhanced Linux (SELinux) and utilize rooting tools like KingRoot11 to gain elevated privileges on compromised devices. Notably, DragonEgg establishes communication with the C2 server to retrieve an unknown secondary module that masquerades as a forensic program.

By Zaib
July 19, 2023
Computer Security
English
July 19, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Android Malware

IcSpy Mobile Malware Targets Bank Customers

IcSpy is the name of a strain of mobile malware that can infect Android devices. The malware was used in a campaign targeting victims located in India and customers of Indian banking institutions. There have been... Read more

November 25, 2022
Android Malware

RatMilad Malware Spotted Targeting Mobile Devices

A research team with mobile security company Zimperium recently spotted a new malware targeting Android-based mobile devices. The new strain is called RatMilad and was used primarily in attacks on devices located in... Read more

October 6, 2022
Android Malware

DogeRAT Targets Android Devices

Researchers from India have identified a sophisticated new malware campaign called DogeRAT that is targeting users across multiple industries and devices. The cyber attackers are using social media apps to distribute... Read more

May 31, 2023
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.