APT41 launches mobile attacks with advanced spyware WyrmSpy and DragonEgg

APT41 broadens its attack landscape to mobile devices

China's notorious state-backed APT41 hacking group, with a history of targeting various global industries, is evolving its cyberattack methodology to include mobile platforms. In particular, they've developed new Android spyware strains known as WyrmSpy and DragonEgg, as reported by Lookout security researchers:^[1]

While APT41 is mostly known for exploiting web-facing applications and infiltrating traditional endpoint devices, these malware are rare reported instances of the group exploiting mobile platforms.

APT41,^[2] also known under an array of other names, including Winnti, Axiom, and Brass Typhoon, has been engaged in cyber-espionage operations and commercial data theft for more than a decade. Historically, they have exploited vulnerable web applications and network-connected devices in their offensive campaigns, infiltrating a wide array of sectors ranging from software development and hardware manufacturing to think tanks, universities, and foreign governments.

In recent years, the group's interest in mobile platforms has emerged, reflecting the rising value and potential vulnerabilities of mobile endpoints. This shift in focus has led to the creation and deployment of the WyrmSpy and DragonEgg spyware strains, marking a significant evolution in the sophistication of APT41's malware arsenal. The group's investment in these advanced tools indicates the increasing allure of mobile devices as high-value targets containing coveted corporate and personal data.

Insights into WyrmSpy and DragonEgg

Lookout security researchers first discovered the presence of WyrmSpy in 2017 and DragonEgg at the start of 2021. Both malware strains are equipped with powerful data harvesting capabilities. Once installed on compromised devices, they can collect camera photos, device location, SMS messages, and audio recordings, posing a severe threat to both individual and organizational data security.

Moreover, these spyware strains can request intrusive permissions and deactivate essential security features. For instance, WyrmSpy is capable of disabling Security-Enhanced Linux (SELinux), an integral security feature in Android.^[3] They also leverage various disguises to evade detection, with WyrmSpy primarily masquerading as a default system app for user notifications. Later versions of this malware have been found hidden within apps that pretend to offer adult video content, Baidu Waimai services, or Adobe Flash features.

In contrast, DragonEgg camouflages itself as a third-party keyboard or messaging app such as Telegram, using these fronts to operate covertly within infected Android devices.

Linking APT41 to the malware

The association between APT41 and the two Android spyware strains was identified through their shared usage of a specific command-and-control (C2) server. This server, tied to the IP address 121.42.149[.]52 and connected to the domain vpn2.umisen[.]com, was a part of APT41's attack infrastructure from May 2014 to August 2020. This finding corroborates the U.S. Department of Justice's indictment in September 2020, where they charged five Chinese nationals linked to APT41.^[4]

While no apps containing these malware strains have been discovered on Google Play, researchers suggest that the group primarily distributes these spyware strains through social engineering campaigns. However, the precise number and identity of victims targeted by WyrmSpy and DragonEgg remain undisclosed.

The continuous evolution of APT41's strategies, including their shift towards mobile-focused attacks, signals an escalating threat to Android devices. The debut of WyrmSpy and DragonEgg in their arsenal is a stark reminder of the growing danger posed by advanced Android malware, requiring a heightened degree of vigilance and security measures across both personal and corporate mobile device usage.