OP Yesterday - 04:46 PM
Lookout analysts have discovered a previously unknown spy for Android called EagleMsgSpy. It is believed to be used by law enforcement and government agencies in China to monitor mobile devices.
Researchers believe that the spyware was developed by the Chinese company Wuhan Chinasoft Token Information Technology Co., Ltd. (aka Wuhan Zhongruan Tongzheng Information Technology Co., Ltd and Wuhan ZRTZ Information Technology Co., Ltd.) and has been in use since at least 2017.
At the same time, the first artifacts related to EagleMsgSpy were uploaded to VirusTotal only on September 25, 2024.
In their report, the researchers cite a wealth of evidence linking EagleMsgSpy to its developers and operators, including IP addresses associated with C&C servers, domains, direct links in internal documentation, as well as public contracts and OSINT data.
For example, the domain that Wuhan Chinasoft Token Information Technology uses to serve promotional materials (tzsafe[.]com), also appears in the EagleMsgSpy code, and the malware documentation directly mentions the name of the company.
In addition, the screenshots of test devices from the EagleMsgSpy administrative panel correspond to the location of the company's office in Wuhan.
It is noted that signs of the existence of an iOS variant of EagleMsgSpy have also been found in the internal documentation and infrastructure of the spiwari developers, but researchers do not yet have a sample for Apple devices.
The developers themselves describe EagleMsgSpy as a "comprehensive product for legal monitoring of mobile devices" that is capable of collecting "information from suspects' mobile phones in real time, through network monitoring without the suspect's knowledge, tracking all the criminal's mobile phone activities and summarizing them."
Lookout experts believe that law enforcement agencies manually install EagleMsgSpy on targeted devices when they have physical access to unlocked devices. This is likely to occur during the confiscation of devices, such as during arrests.
![[Image: installer.jpg]](https://i.ibb.co/RvxQQgc/installer.jpg)
Since the APK installer could not be found on the Google Play Store or third-party app stores, it is assumed that the spyware is distributed by a very small number of operators.
A study of different spyware samples showed that the developers are actively improving code obfuscation and encryption (for example, with the help of open source ApkToolPlus), that is, EagleMsgSpy is clearly under active development.
Once installed on the target device, EagleMsgSpy exhibits the following activity:
All collected data is temporarily stored in a hidden directory, encrypted, compressed, and then transmitted to command and control servers.
The malware's admin panel is called the 'Stability Maintenance Judgment System.' It allows remote operators to initiate real-time actions such as recording audio, displaying the geographical distribution of the victim's contacts, and monitoring the messaging.
![[Image: panel.jpg]](https://i.ibb.co/Sm9y4wM/panel.jpg)
![[Image: contacts-geo.png]](https://i.ibb.co/99nr2kN/contacts-geo.png)
As for the spyware operators, Lookout states that EagleMsgSpy's command and control servers are linked to Public Security Bureau domains, such as the Yantai and Zhifu branches.
The report also notes that Lookout was able to identify two IP addresses associated with the SSL certificates of the EagleMsgSpy C&C servers (202.107.80[.]34 and 119.36.193[.]210. Previously, these addresses have already been used by other
spy tools from China, including PluginPhantom and CarbonSteal.
steals messages from instant messengers (including QQ, Telegram, Viber, WhatsApp, WeChat, and so on);
records what is happening on the screen using the Media Projection API, takes screenshots and records audio;
retrieves call logs, contact list, and SMS messages;
receives data on location (GPS), network activity, installed applications;
steals bookmarks from browsers and files from external drives.
Researchers believe that the spyware was developed by the Chinese company Wuhan Chinasoft Token Information Technology Co., Ltd. (aka Wuhan Zhongruan Tongzheng Information Technology Co., Ltd and Wuhan ZRTZ Information Technology Co., Ltd.) and has been in use since at least 2017.
At the same time, the first artifacts related to EagleMsgSpy were uploaded to VirusTotal only on September 25, 2024.
In their report, the researchers cite a wealth of evidence linking EagleMsgSpy to its developers and operators, including IP addresses associated with C&C servers, domains, direct links in internal documentation, as well as public contracts and OSINT data.
For example, the domain that Wuhan Chinasoft Token Information Technology uses to serve promotional materials (tzsafe[.]com), also appears in the EagleMsgSpy code, and the malware documentation directly mentions the name of the company.
In addition, the screenshots of test devices from the EagleMsgSpy administrative panel correspond to the location of the company's office in Wuhan.
It is noted that signs of the existence of an iOS variant of EagleMsgSpy have also been found in the internal documentation and infrastructure of the spiwari developers, but researchers do not yet have a sample for Apple devices.
The developers themselves describe EagleMsgSpy as a "comprehensive product for legal monitoring of mobile devices" that is capable of collecting "information from suspects' mobile phones in real time, through network monitoring without the suspect's knowledge, tracking all the criminal's mobile phone activities and summarizing them."
Lookout experts believe that law enforcement agencies manually install EagleMsgSpy on targeted devices when they have physical access to unlocked devices. This is likely to occur during the confiscation of devices, such as during arrests.
Since the APK installer could not be found on the Google Play Store or third-party app stores, it is assumed that the spyware is distributed by a very small number of operators.
A study of different spyware samples showed that the developers are actively improving code obfuscation and encryption (for example, with the help of open source ApkToolPlus), that is, EagleMsgSpy is clearly under active development.
Once installed on the target device, EagleMsgSpy exhibits the following activity:
All collected data is temporarily stored in a hidden directory, encrypted, compressed, and then transmitted to command and control servers.
The malware's admin panel is called the 'Stability Maintenance Judgment System.' It allows remote operators to initiate real-time actions such as recording audio, displaying the geographical distribution of the victim's contacts, and monitoring the messaging.
As for the spyware operators, Lookout states that EagleMsgSpy's command and control servers are linked to Public Security Bureau domains, such as the Yantai and Zhifu branches.
The report also notes that Lookout was able to identify two IP addresses associated with the SSL certificates of the EagleMsgSpy C&C servers (202.107.80[.]34 and 119.36.193[.]210. Previously, these addresses have already been used by other
spy tools from China, including PluginPhantom and CarbonSteal.
steals messages from instant messengers (including QQ, Telegram, Viber, WhatsApp, WeChat, and so on);
records what is happening on the screen using the Media Projection API, takes screenshots and records audio;
retrieves call logs, contact list, and SMS messages;
receives data on location (GPS), network activity, installed applications;
steals bookmarks from browsers and files from external drives.
![[Image: eibpjgI.gif]](https://i.imgur.com/eibpjgI.gif)
![[Image: Sig.png]](https://i.ibb.co/xh4Mcd3/Sig.png)