Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware

Written by

The Chinese espionage group APT41 (AKA Double Dragon, BARIUM and Winnti) has been linked to the sophisticated Android surveillanceware known as WyrmSpy and DragonEgg.

A new report published by cybersecurity firm Lookout on July 19, 2023, highlighted the findings, mentioning APT41's history of targeting both government organizations and private enterprises for espionage and financial gain.

Read more on APT41: China-backed APT41 Group Hacked at Least 13 Victims in 2021

According to the advisory, WyrmSpy and DragonEgg were first reported to Lookout's Threat Intelligence Services subscribers in October 2020 and January 2021, respectively.

From a technical standpoint, the surveillanceware tools use modules to hide their malicious activities. WyrmSpy poses as a default Android system app, and DragonEgg pretends to be a third-party Android keyboard or messaging app.

Both malware implants possess extensive data collection and exfiltration capabilities, including log files, photos, device location, SMS messages, audio recordings, device contacts, external device storage files and camera photos. WyrmSpy, in particular, leverages known rooting tools to gain escalated privileges on infected devices.

As for the connection mentioned in the advisory, Lookout researchers said they were able to attribute WyrmSpy and DragonEgg to APT41 through the discovery of overlapping Android signing certificates and a link between the malware's command-and-control (C2) infrastructure and Chengdu 404 Network Technology Co., a company associated with APT41.

The security researchers clarified that these threats were not found in the wild. Instead, they assessed with moderate confidence that they were distributed to victims through social engineering campaigns.

Nevertheless, Lookout wanted users to remain vigilant and contact their research team if they suspect being targeted or require consultation on mobile threats.

"The discovery of WyrmSpy and DragonEgg is a reminder of the growing threat posed by advanced Android malware," said Kristina Balaam, a senior threat researcher at Lookout. 

"These spyware packages are highly sophisticated and can be used to collect a wide range of data from infected devices. We urge Android users to be aware of the threat and to take steps to protect their devices, work and personal data."

The Lookout report follows a separate one published by Trend Micro in early May 2023 that described a new campaign by Earth Longzhi, a subgroup of APT41.

What’s hot on Infosecurity Magazine?