Go to listing page

Android Spyware WyrmSpy and DragonEgg Attributed to APT41

Android Spyware WyrmSpy and DragonEgg Attributed to APT41
APT41 (aka Winnti, BARIUM, or Double Dragon) has been linked to a cyberespionage campaign that dropped two spyware strains, dubbed WyrmSpy and DragonEgg, on Android mobiles. 

APT41 is one of the oldest China state-backed groups with a history of targeting various industries in the U.S., Asia, and Europe. In September 2020, the DOJ charged five group members for their involvement in cyberattacks on more than 100 companies.

Despite the crackdown, the group continues to evolve, and has now shifted its focus to mobile users. The finding comes as Mandiant disclosed the evolving tactics adopted by Chinese espionage groups to fly under the radar. 

About WyrmSpy and DragonEgg spyware

Lookout first identified WyrmSpy in 2017 and DragonEgg in early 2021, with the most recent versions dating back to April 2023.
  • Both share similar Android signing certificates and come with extensive data collection and exfiltration capabilities, harvesting users’ photos, locations, SMS messages, and audio recordings from compromised mobile devices.
  • Upon execution, WyrmSpy uses known rooting tools to gain escalated privileges on compromised devices and perform surveillance activities based on the commands received from its C2 servers.
  • Similar to WyrmSpy, DragonEgg relies on additional commands from its C2 servers to implement its capabilities. 
Researchers were able to attribute the two malware to APT41 due to a C2 infrastructure hardcoded into the source code of the malware.

Distribution process

Researchers have not encountered samples in the real world attacks, however, believe that they are distributed through social engineering tactics.
  • In the current campaign, the spyware were distributed via apps on Google Play Store.  
  • While WyrmSpy primarily masquerades as a default operating system app used for displaying notifications to users, the attackers used an adult video content app, a Baidu Waimai food delivery platform, and Adobe Flash to distribute the latest variants of the spyware.
  • DragonEgg malware was concealed either in third-party keyboards or messaging apps such as Telegram.

Bottom line

APT41’s interest in Android devices shows that mobile endpoints are high-value targets with coveted data. Users should avoid downloading apps from untrusted third-party sources. They must check the reviews and ratings before downloading apps from Google Play Store.
Cyware Publisher

Publisher

Cyware