Chinese Spyware Targets Android Devices - New Research

New Spyware Used for Surveillance in China

Security researchers have identified a novel surveillance application reportedly utilized by Chinese law enforcement agencies. This tool is designed to gather sensitive data from Android devices within China.

Discovery of EagleMsgSpy

The surveillance tool, designated “EagleMsgSpy,” was brought to light by the team at U.S.-based cybersecurity firm Lookout. During the Black Hat Europe conference held on Wednesday, the company revealed that multiple versions of the spyware had been obtained. Lookout asserts the tool has been actively deployed since “at least 2017.”

According to Kristina Balaam, a senior intelligence researcher at Lookout, the spyware has been employed by numerous public security bureaus across mainland China. Its purpose is to amass “extensive” information from mobile devices.

Data Collection Capabilities

EagleMsgSpy is capable of collecting a wide range of data, including:

• Call logs
• Contact lists
• GPS location data
• Browser bookmarks
• Messages from applications like Telegram and WhatsApp

Furthermore, the tool can initiate screen recordings on smartphones. It also possesses the ability to capture audio while the device is in use, as detailed in research shared by Lookout with TechCrunch.

App Description and Functionality

A manual reviewed by Lookout characterizes the application as a “comprehensive mobile phone judicial monitoring product.” This product aims to acquire “real-time mobile phone information of suspects” through network control, all without the user’s awareness. It is designed to monitor and summarize all mobile phone activities of individuals under investigation.

Attribution and Infrastructure

Balaam indicates that, based on overlapping infrastructure, she has a “high confidence” assessment that EagleMsgSpy was developed by Wuhan Chinasoft Token Information Technology, a private Chinese technology company. The tool’s infrastructure also demonstrates connections between the developer and public security bureaus – essentially local police stations – in mainland China.

Targeting and Potential Risks

The extent of individuals targeted by EagleMsgSpy remains unknown. While the tool is likely being used primarily for domestic surveillance, Balaam cautions that “anybody traveling to the region could be at risk.”

She suggests the infrastructure’s accessibility from North America indicates an intent to track individuals even after they leave China, regardless of their citizenship.

Connections to Other Surveillance Tools

Lookout has identified two IP addresses associated with EagleMsgSpy that have also been utilized by other China-linked surveillance tools. One such tool is CarbonSteal, which has been previously used in campaigns targeting the Tibetan and Uyghur communities.

Development and Future Capabilities

Currently, EagleMsgSpy requires physical access to the target device. However, Balaam notes that the tool is still under development as of late 2024. She believes it is “entirely possible” that future iterations of EagleMsgSpy will not necessitate physical access for deployment.

Potential iOS Version

Lookout’s analysis of internal documents suggests the existence of an undiscovered iOS version of the spyware, though it has not yet been identified.