Chinese spy group APT41 (aka Double Dragon, BARIUM, Winnti) is associated with sophisticated Android surveillanceware known as WyrmSpy and DragonEgg.
Cybersecurity firm releases new report look out On July 19, 2023, APT41 highlighted its findings, citing its history of targeting both government agencies and private companies for espionage and financial gain.
Read more about APT41: China-backed APT41 group to hack at least 13 victims in 2021
According to the advisory, WyrmSpy and DragonEgg were first reported to subscribers of Lookout’s threat intelligence service in October 2020 and January 2021, respectively.
From a technical perspective, surveillanceware tools use modules to hide malicious activity. WyrmSpy masquerades as a default Android system app, while DragonEgg masquerades as a third-party Android keyboard or messaging app.
Both malware implants have extensive data collection and extraction capabilities, including log files, photos, device location, SMS messages, voice recordings, device contacts, external device storage files, camera photos, and more. WyrmSpy, in particular, leverages known rooting tools to gain elevated privileges on infected devices.
For the connection mentioned in RecommendationLookout researchers discovered duplicate Android signing certificates and links between the malware’s command and control (C2) infrastructure and Chengdu 404 Network Technology Co., a company associated with APT41, allowing WyrmSpy and He said he was able to attribute DragonEgg to APT41. .
Security researchers have revealed that these threats have never been discovered in the wild. Instead, we rated it with moderate confidence that it was distributed to victims through a social engineering campaign.
Still, Lookout urged users to remain vigilant and contact the research team if they suspected they were being targeted or needed advice on mobile threats.
“The WyrmSpy and DragonEgg findings are a reminder of the growing threat posed by advanced Android malware,” said Kristina Balaam, senior threat researcher at Lookout.
“These spyware packages are highly sophisticated and can be used to collect a wide range of data from infected devices. Android users should be aware of this threat and have access to their device, work and personal data. We encourage you to take steps to protect it.”
The Lookout report follows another report published by Trend Micro in early May 2023. New campaign by Earth Longzhia subgroup of APT41.
