Full Report
Cybersecurity researchers have discovered a novel surveillance program that's suspected to be used by Chinese police departments as a lawful intercept tool to gather a wide range of information from mobile devices. The Android tool, codenamed EagleMsgSpy by Lookout, has been operational since at least 2017, with artifacts uploaded to the VirusTotal malware scanning platform as recently as
Analysis Summary
# Tool/Technique: EagleMsgSpy
## Overview
EagleMsgSpy is a novel surveillance program, suspected to be used by Chinese police departments as a lawful intercept tool, designed to gather extensive information from Android mobile devices without the user's knowledge. It operates using a two-part structure: an installer APK and a surveillance client payload (MM or eagle\_mm).
## Technical Details
- Type: Malware family (Surveillanceware)
- Platform: Android (iOS component suspected but not confirmed in the wild)
- Capabilities: Comprehensive data collection including message interception, media recording, location tracking, and exfiltration.
- First Seen: Operational since at least 2017.
## MITRE ATT&CK Mapping
Since the article describes capabilities rather than specific execution steps within a standard attack chain, the mapping focuses on data collection and command/control:
- T1041 - Collection
- T1041.001 - Archive Collected Data
- T1041.002 - Command and Control Channel Communication
- TA0010 - Exfiltration
- T1041.004 - Exfiltration Over C2 Channel
- TA0002 - Execution
- T1204.002 - User Execution: Malicious File
- T1606 - Obtain Capabilities (Implied: Physical access required for initial deployment)
## Functionality
### Core Capabilities
- **Data Collection:** Intercepts third-party chat messages (QQ, Telegram, Viber, WhatsApp, WeChat), SMS messages, call logs, and device contacts.
- **Device Monitoring:** Captures screen recordings and screenshots, and performs audio recordings.
- **System Information Gathering:** Collects GPS location data, network activity details (Wi-Fi connections), files on external storage, browser bookmarks, and a list of installed applications.
- **Delivery:** Deployed via an installer APK, often requiring physical access to the target device initially. The core surveillance client (MM/eagle\_mm) can also be delivered via QR codes or connecting a physical device via USB.
### Advanced Features
- **Headless Operation:** The surveillance client runs headlessly on the device, hiding activities from the user.
- **Data Concealment:** Amassed data is compressed into password-protected archive files before exfiltration.
- **Obfuscation:** Recent variants utilize the open-source tool **ApkToolPlus** to conceal classes, an improvement over earlier variants with little obfuscation.
- **C2 Mechanism:** Uses **WebSockets** and the **STOMP** protocol for communication with the C2 server, sending status updates and receiving instructions.
- **Administrative Control:** The C2 server hosts an **AngularJS**-based administrative panel requiring user authentication, which allows operators to trigger data collection in real-time.
## Indicators of Compromise
- File Hashes: Artifact uploaded to VT: `e5b656166c612dd8d6e6d7de7fb89b47157703510052539e5eb7e8180fde4552` (SHA256, based on VT link context)
- File Names: Installer APK, Surveillance client payload referred to as **MM** or **eagle\_mm**.
- Registry Keys: (Not specified in the text)
- Network Indicators: C2 SSL certificates tied to IP addresses: `202.107.80[.]34` and `119.36.193[.]210`.
- Behavioral Indicators: Communication using WebSockets and STOMP protocol; attempts to access `Media Projection API` for screen recording.
## Associated Threat Actors
- Suspected Chinese police departments ("law enforcement agencies located in Mainland China").
- Developed/Sold by: Wuhan Chinasoft Token Information Technology Co., Ltd. (aka Wuhan Zhongruan Tongzheng Information Technology Co., Ltd and Wuhan ZRTZ Information Technology Co, Ltd.).
## Detection Methods
- Signature-based detection: Signatures for known file hashes or specific C2 communication patterns (STOMP/WebSocket).
- Behavioral detection: Monitoring for the deployment of an installer module requiring physical access, unauthorized use of the `Media Projection API`, or headless background execution capturing extensive private data.
- YARA rules: (Not specified in the text)
## Mitigation Strategies
- Secure physical devices: Since initial deployment often requires unlocking the device, physical security of mobile devices is paramount.
- Application security review: Scrutinizing devices for unauthorized applications performing background monitoring.
- Network monitoring: Monitoring outbound traffic for suspicious WebSockets or STOMP traffic to known or newly observed C2 infrastructure, especially if domain/IP reputation matches known Chinese surveillance tools.
## Related Tools/Techniques
- **PluginPhantom:** Another China-linked surveillance tool sharing C2 infrastructure.
- **CarbonSteal:** Another China-linked surveillance tool sharing C2 infrastructure.
- **ApkToolPlus:** Tool used defensively (by malware authors) to obfuscate the malware payload.