Cybersecurity researchers have found a novel surveillance program that is suspected for use by Chinese language police departments as a lawful intercept device to collect a variety of knowledge from cell gadgets.
The Android device, codenamed EagleMsgSpy by Lookout, has been operational since at the least 2017, with artifacts uploaded to the VirusTotal malware scanning platform as just lately as September 25, 2024.
“The surveillanceware consists of two parts: an installer APK, and a surveillance client that runs headlessly on the device when installed,” Kristina Balaam, senior employees risk intelligence researcher at Lookout, mentioned in a technical report shared with The Hacker Information.
“EagleMsgSpy collects extensive data from the user: third-party chat messages, screen recording and screenshot capture, audio recordings, call logs, device contacts, SMS messages, location data, [and] network activity.”
EagleMsgSpy has been described by its builders as a “comprehensive mobile phone judicial monitoring product” that may get hold of “real-time mobile phone information of suspects through network control without the suspect’s knowledge, monitor all mobile phone activities of criminals, and summarize them.”
The cybersecurity firm attributed the surveillance program to a Chinese language firm referred to as Wuhan Chinasoft Token Information Technology Co., Ltd. (aka Wuhan Zhongruan Tongzheng Information Technology Co., Ltd and Wuhan ZRTZ Information Technology Co, Ltd.), citing infrastructure overlap and references throughout the supply code.
Lookout mentioned the corporate’s inner paperwork it obtained from open directories on attacker-controlled infrastructure trace at the potential of an iOS element, though such artifacts are but to be uncovered within the wild.
What’s notable about EagleMsgSpy is the truth that it seems to require bodily entry to a goal machine with a view to activate the data gathering operation. That is completed by deploying an installer module that is then answerable for delivering the core payload, in any other case known as MM or eagle_mm.
The surveillance consumer, for its half, could be acquired by way of numerous strategies, resembling QR codes or through a bodily machine that installs it on the cellphone when linked to USB. It is believed that the actively maintained device is utilized by a number of clients of the software program vendor, provided that it requires them to supply as enter a “channel,” which corresponds to an account.
EagleMsgSpy’s Android model is designed to intercept incoming messages, acquire knowledge from QQ, Telegram, Viber, WhatsApp, and WeChat, provoke display screen recording utilizing the Media Projection API, and seize screenshots and audio recordings.
It is also geared up to collect name logs, contact lists, GPS coordinates, particulars about community and Wi-Fi connections, information in exterior storage, bookmarks from the machine browser, and an inventory of put in purposes on the gadgets. The amassed knowledge is subsequently compressed into password-protected archive information and exfiltrated to a command-and-control (C2) server.
In contrast to early variants of EagleMsgSpy that employed few obfuscation methods, the current counterparts use an open-source software safety device referred to as ApkToolPlus to hide a few of the code. The surveillance module communicates with the C2 by way of WebSockets utilizing the STOMP protocol to supply standing updates and obtain additional directions.
“EagleMsgSpy C2 servers host an administrative panel requiring user authentication,” Balaam mentioned. “This administrative panel is implemented using the AngularJS framework, with appropriately configured routing and authentication preventing unauthorized access to the extensive admin API.”
It is this panel supply code that incorporates features resembling “getListIOS()” to tell apart between machine platforms, alluding to the existence of an iOS model of the surveillance device.
Lookout’s investigation has discovered that the panel permits clients, doubtless regulation enforcement companies positioned in Mainland China, to set off knowledge assortment in real-time from the contaminated gadgets. One other hyperlink that factors to China is a hardcoded Wuhan-based cellphone quantity laid out in a number of EagleMsgSpy samples.
The Hacker Information additionally recognized a number of patent purposes filed by Wuhan ZRTZ Information Technology Co, Ltd. that delve into the assorted strategies which can be utilized to “collect and analyze client data such as data of certain types like call record of the suspect’s mobile phone, short messages, an address book, instant chat software (QQ, WeChat, Momo, etc.) and so forth, and generate a relationship diagram between the suspect and others.”
One other patent particulars an “automatic evidence-collecting method and system,” indicating that the corporate behind EagleMsgSpy is primarily targeted on growing merchandise which have regulation enforcement use circumstances.
“It’s possible that the company incorporated the methodologies described in their patent applications – especially in cases in which they claim to have developed unique methods of creating relationship diagrams between victim datasets,” Balaam instructed The Hacker Information. “However, we don’t have insight into how the company processed data server-side that was exfiltrated from victim devices.”
What’s extra, Lookout mentioned it recognized two IP addresses tied to EagleMsgSpy C2 SSL certificates (202.107.80[.]34 and 119.36.193[.]210) which have been utilized by different China-linked surveillance instruments resembling PluginPhantom and CarbonSteal, each of which have been used to focus on Tibetan and Uyghur communities up to now.
“The malware is placed on victim devices and configured through access to the unlocked victim device,” the corporate mentioned. “Once installed, the headless payload runs in the background, hiding its activities from the user of the device and collects extensive data from the user. Public [calls for proposals] for similar systems indicate that this surveillance tool or analogous systems are in use by many public security bureaus in China.”
