Yesterday, Lookout, Inc., announced the discovery of sophisticated Android surveillanceware known as WyrmSpy and DragonEgg, which has been linked to the Chinese espionage group APT41 (AKA Double Dragon, BARIUM and Winnti). Despite being indicted on multiple charges by the U.S. government for its attacks on more than 100 private and public enterprises in the U.S. and around the world, APT41’s tactics have evolved to include mobile devices.
APT41, also known as Double Dragon, BARIUM and Winnti, is a state-sponsored espionage group that has been active since 2012. In August 2019 and August 2020, five of its hackers were charged by a federal grand jury in Washington, D.C. for a computer intrusion campaign that impacted dozens of companies in the United States and abroad, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, foreign governments and pro-democracy politicians and activists in Hong Kong.
Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT 41 including mobile in its arsenal of malware shows how mobile endpoints are high-value targets with coveted corporate and personal data.
Threat discovery highlights:
- Both WyrmSpy and DragonEgg have sophisticated data collection and exfiltration capabilities, and Lookout researchers believe they are distributed to victims through social engineering campaigns.
- Both use modules to hide their malicious intentions and avoid detection.
- WyrmSpy, which is capable of collecting a wide range of data from infected devices including log files, photos, device location, SMS messages and audio recordings, primarily masquerades as a default Android system app used for displaying notifications to the user. Later variants also package the malware into apps masquerading as adult video content, “Baidu Waimai” food delivery platform and Adobe Flash.
- DragonEgg has been observed in apps purporting to be third-party Android keyboards and messaging applications such as Telegram.
To protect your business and personal Android devices from WyrmSpy and DragonEgg, Lookout recommends the following:
- Keep your device’s software up to date.
- Only install apps from trusted sources and only download them from the Google Play Store.
- Be careful about what permissions you grant apps.
- Use a mobile security solution like Lookout.
“The discovery of WyrmSpy and DragonEgg is a reminder of the growing threat posed by advanced Android malware,” said Kristina Balaam, Senior Threat Researcher, Lookout. “These spyware packages are highly sophisticated and can be used to collect a wide range of data from infected devices. We urge Android users to be aware of the threat and to take steps to protect their devices, work and personal data.”
Lookout Threat Lab researchers have been actively tracking both spyware and providing coverage to Lookout Mobile Endpoint Security customers since 2020. The Lookout Security Graph leverages machine intelligence from more than 215 million devices, 190 million apps and ingests 4.5 million URLs daily. Lookout secures customers against phishing, app, device, and network threats in a manner that respects user privacy.
For further information about Wyrm and DragonEgg, visit the Lookout Threat Lab blog.
