Yesterday, Lookout, Inc., announced the discovery of sophisticated Android surveillanceware known as WyrmSpy and DragonEgg, which has been linked to the Chinese espionage group APT41 (AKA Double Dragon, BARIUM and Winnti). Despite being indicted on multiple charges by the U.S. government for its attacks on more than 100 private and public enterprises in the U.S. and around the world, APT41’s tactics have evolved to include mobile devices.
The state-sponsored espionage group APT41, also known as Double Dragon, BARIUM, and Winnti, has been active since 2012. In August 2019 and August 2020, five of its hackers were charged by a federal grand jury in Washington, D.C. for a computer intrusion campaign that impacted numerous companies in the United States and abroad. These companies included software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, foreign governments, and pro-democracy politicians and activists in Hong Kong.
APT41 has a reputation for exploiting web-facing applications and infiltrating traditional endpoint devices. The inclusion of mobile devices in its arsenal of malware highlights the value of mobile endpoints and the corporate and personal data they hold.
The discovery of WyrmSpy and DragonEgg by Lookout researchers is significant due to the sophisticated data collection and exfiltration capabilities of these surveillanceware. It is believed that the malware is distributed to victims through social engineering campaigns. Both WyrmSpy and DragonEgg use modules to conceal their malicious intentions and evade detection.
WyrmSpy masquerades as a default Android system app that displays notifications to the user. It can collect a wide range of data from infected devices, including log files, photos, device location, SMS messages, and audio recordings. Later variants of the malware also package it into apps posing as adult video content, the “Baidu Waimai” food delivery platform, and Adobe Flash.
DragonEgg, on the other hand, has been observed in apps claiming to be third-party Android keyboards and messaging applications like Telegram.
To protect Android devices from WyrmSpy and DragonEgg, Lookout recommends keeping the device’s software up to date, only installing apps from trusted sources (such as the Google Play Store), being cautious about granting app permissions, and using a mobile security solution like Lookout.
Kristina Balaam, Senior Threat Researcher at Lookout, emphasized the growing threat posed by advanced Android malware. She urged Android users to be vigilant and take steps to protect their devices and personal data.
Lookout’s Threat Lab researchers have been actively tracking and providing coverage for both WyrmSpy and DragonEgg since 2020. They leverage machine intelligence from millions of devices, apps, and URLs to secure customers against phishing, app, device, and network threats while respecting user privacy.
For more information about WyrmSpy and DragonEgg, visitors can refer to the Lookout Threat Lab blog.