Researchers at the Lookout Threat Lab have discovered a surveillance family, dubbed EagleMsgSpy, used by law enforcement in China to collect extensive information from mobile devices. Lookout has acquired several variants of the Android-targeted tool; internal documents obtained from open directories on attacker infrastructure also allude to the existence of an iOS component that has not yet been uncovered.
- EagleMsgSpy is a lawful intercept surveillance tool developed by a Chinese software development company with use by public security bureaus in mainland China.
- Early samples indicate the surveillance tool has been operational since at least 2017, with development continued into late 2024.
- The surveillanceware consists of two parts: an installer APK, and a surveillance client that runs headlessly on the device when installed.
- EagleMsgSpy collects extensive data from the user: third-party chat messages, screen recording and screenshot capture, audio recordings, call logs, device contacts, SMS messages, location data, network activity.
- Infrastructure overlap and artifacts from open command and control directories allow us to attribute the surveillanceware to Wuhan Chinasoft Token Information Technology Co., Ltd. (武汉中软通证信息技术有限公司) with high confidence.
- EagleMsgSpy appears to require physical access to a target device in order to activate the information gathering operation by deploying an installer module that's then responsible for delivering the core payload.
Connections to other Chinese Surveillanceware Apps
Infrastructure sharing SSL certificates with EagleMsgSpy C2 servers was also used by known Chinese surveillance tools in earlier campaigns, the report says.
A sample of CarbonSteal - a surveillance tool discovered by Lookout and attributed to Chinese APTs - was observed communicating with another IP tied to the EagleMsgSpy SSL certificate, 119.36.193[.]210. This sample, created in July 2016, masquerades as a system application called “AutoUpdate”.
In a 2020 threat advisory, Lookout researchers detailed CarbonSteal activity in campaigns targeting minorities in China, including Uyghurs and Tibetans.
Significant overlap in signing certificates, infrastructure and code was observed between CarbonSteal and other known Chinese surveillance, including Silkbean, HenBox, DarthPusher, DoubleAgent and PluginPhantom.