A newly discovered Android spyware, identified as 'EagleMsgSpy,' is reportedly being utilized by law enforcement agencies in China to conduct surveillance on mobile devices, according to cybersecurity firm Lookout.

Origins and Evidence

EagleMsgSpy, developed by Wuhan Chinasoft Token Information Technology Co., Ltd., has been in existence since at least 2017. Lookout researchers have uncovered various links demonstrating the connection between EagleMsgSpy and its creators. Evidence includes IP addresses associated with command-and-control (C2) servers, specific domains, and mentions in both internal documents and public contracts. There are indications of a possible iOS version of EagleMsgSpy, although researchers have not yet obtained a sample for further examination.

Installation and Distribution

According to Lookout, EagleMsgSpy is installed directly by law enforcement officials who gain physical access to unlocked devices, often during arrests—a practice observed in more restrictive regimes. The spyware has not been found on Google Play or other third-party app stores, suggesting it remains confined to a limited group of operators.

Advanced Features of EagleMsgSpy

The spyware's capabilities include: - Intercepting messages from chat applications like QQ, Telegram, and WhatsApp. - Capturing screen recordings, audio recordings, and screenshots. - Accessing call logs, contacts, and SMS messages. - Tracking location data, network activity, and installed applications. - Retrieving browser bookmarks and files on external storage. Collected data is temporarily stored in a concealed directory, where it is encrypted, compressed, and sent to C2 servers. Included with the malware is an admin panel named the "Stability Maintenance Judgment System," which enables remote operators to initiate live surveillance activities, such as starting audio recordings or displaying the geographical distribution of the target's contacts and interactions.

Attribution and Operations

Lookout's investigation firmly ties the spyware to Wuhan Chinasoft Token Information Technology through shared infrastructure and references in documentation. A promotional domain ('tzsafe[.]com') related to the company also appears within EagleMsgSpy’s encrypted strings. The admin panel's layout contains test device screenshots matching the firm's Wuhan office location. Additionally, Lookout identifies C2 server domains connected to public security bureaus, notably including the Yantai Public Security Bureau and its Zhifu Branch. Historical IP data also shows connections with domains linked to security bureaus in Dengfeng and Guiyang. The spyware's admin panel's naming convention implies usage by law enforcement and possibly other government bodies, suggesting an organized approach to surveillance within China.

The link has been copied!