APT41, a China-linked nation-state actor, has been linked to two new strains of Android spyware named WyrmSpy and DragonEgg. Lookout, a cybersecurity company, emphasized the inclusion of mobile devices in APT41’s arsenal, indicating the high value of mobile endpoints with corporate and personal data. APT41, known by various names, has been operational since 2007 and targets industries for intellectual property theft.
Recent attacks involving APT41 used the Google Command and Control (GC2) tool, targeting media and job platforms in Taiwan and Italy. The intrusion vector for the mobile surveillance ware campaign is suspected to involve social engineering. WyrmSpy was detected by Lookout in 2017, while DragonEgg was found in early 2021, with new samples seen as recently as April 2023.
WyrmSpy disguises itself as a system app or other content, while DragonEgg is distributed through third-party apps. The malware is not propagated through the Google Play Store, and the number of victims targeted is unknown.
WyrmSpy and DragonEgg are connected to APT41 through a command-and-control server with the IP address 121.42.149[.]52, associated with the group’s infrastructure. Once installed, both spyware strains request intrusive permissions and have advanced data collection capabilities, including harvesting photos, locations, SMS messages, and audio recordings.
WyrmSpy can disable Android’s Security-Enhanced Linux and gain elevated privileges, while DragonEgg contacts the C2 server to fetch an unknown module posing as a forensics program.
The discovery of WyrmSpy and DragonEgg highlights the growing threat of advanced Android malware, according to Kristina Balaam from Lookout.
Mandiant has disclosed evolving tactics used by Chinese espionage groups, including using botnets, proxying traffic, and targeting edge devices to conduct stealthy and effective operations.