Android Surveillanceware WyrmSpy and DragonEgg Traced Back to China's APT41
Malware Targets Vulnerable Communities
China's Advanced Persistent Threat 41 (APT41), a state-sponsored group notorious for espionage campaigns against governmental and private organizations, has recently been linked to two infamous Android surveillanceware programs, WyrmSpy and DragonEgg. The attribution to APT41, also known as Winnti, BARIUM, or Double Dragon, underscores the ever-increasing sophistication of cyber threats in today's interconnected world.
Researchers from Lookout have detailed the group's connections in a report released on July 19. APT41 has built a reputation for compromising organizations far beyond its Asian-Pacific home turf, with targets in Australia, India, and the United States. The group's notorious activity has led to five of its members being indicted by the U.S. Department of Justice.
While APT41 often focuses on endpoint devices and web applications, it occasionally ventures into mobile attacks, delivering spyware disguised as innocuous Android applications. Overlapping Android code signing certificates led to the link between APT41 and the surveillanceware programs WyrmSpy and DragonEgg. Furthermore, early samples of WyrmSpy's source code revealed a hardcoded command-and-control (C2) server address, directly tied to APT41 in a 2020 Justice Department indictment.
According to Kristina Balaam, senior security intelligence engineer at Lookout, APT41's surveillanceware exhibits a sophistication rarely seen. Unlike other malware authors who might indiscriminately ask for numerous permissions, APT41 meticulously escalates privileges using rooting tools once their spyware, often camouflaged as standard applications or popular services, is installed on a device.
WyrmSpy, for instance, has been operational since 2017 and is capable of a wide range of actions, including reading log files and device location, exfiltrating audio files and photos, and manipulating SMS messages. A newer malware, DragonEgg, detected in 2021, hides inside malicious apps and can steal a user's contacts, SMS messages, files, location data, photos, and audio recordings.
However, the specifics of who or how many have fallen victim to these malicious programs remain elusive. Balaam notes, "The challenging thing about this is that they're very generic in their targeting." Without a clear target demographic, the extent of these campaigns is hard to measure.
While APT41 is primarily preoccupied with governmental and corporate entities, its techniques echo previous campaigns using Android malware to target vulnerable communities, such as the Uyghurs in China. Despite the formidable capabilities of a group like APT41, Balaam emphasizes the importance of basic mobile security hygiene, like only downloading software from official app stores. She also advocates for antivirus software on mobile platforms, even the most fundamental.