“WyrmSpy” and “DragonEgg,” two spy bugs attributed to the Chinese threat group APT41, are targeting Android-based devices, according to researchers at Lookout, a mobile cybersecurity provider.
APT41, also known as Double Dragon, BARIUM and Winnti, is a state-sponsored espionage group that has been active since 2012. In August 2019 and August 2020, five of its hackers were charged by a federal grand jury in Washington, D.C. for a computer intrusion campaign that impacted dozens of companies in the United States and abroad.
The hacking crew is known for exploiting web-facing applications and infiltrating traditional endpoint devices. Lookout said that an “established threat actor like APT41 campaigning against mobile devices “shows how mobile endpoints are “high value targets” for work and personal information.
What We Know About the Spy Bugs
Threat discovery highlights include:
- Both WyrmSpy and DragonEgg have sophisticated data collection and exfiltration capabilities. Lookout researchers believe they are distributed to victims through social engineering campaigns.
- Both use modules to hide their malicious intentions and avoid detection.
- WyrmSpy is capable of collecting a wide range of data from infected devices including log files, photos, device location, SMS messages and audio recordings. It primarily masquerades as a default Android system app used for displaying notifications to the user. Later variants also package the malware into apps masquerading as adult video content, “Baidu Waimai” food delivery platform and Adobe Flash.
- DragonEgg has been observed in apps purporting to be third-party Android keyboards and messaging applications such as Telegram.
Kristina Balaam, Lookout senior threat researcher, explained how discovery of the malware shows the growing threat posed by “advanced” Android malware.
“These spyware packages are highly sophisticated and can be used to collect a wide range of data from infected devices. We urge Android users to be aware of the threat and to take steps to protect their devices, work and personal data.”
Protecting Your Organization
To protect your business and personal Android devices from WyrmSpy and DragonEgg, Lookout recommends the following:
- Keep your device’s software up to date.
- Only install apps from trusted sources and only download them from the Google Play Store.
- Be careful about what permissions you grant apps.