Cybersecurity researchers have discovered a new surveillance program believed to be used by police departments in China as a legitimate interception tool to collect a wide range of information from mobile devices.
Lookout’s Android tool, codenamed EagleMsgSpy, has been around since at least 2017 with artifacts loaded to the VirusTotal malware scanning platform only on September 25, 2024.
“The surveillance software consists of two parts: an APK installer and a surveillance client that runs headless on the device after installation,” Christina Balaam, Lookout’s senior threat intelligence officer, said in a technical the report shared with The Hacker News.
“EagleMsgSpy collects a wide range of data from the user: third-party chat messages, screen recordings and screenshots, audio recordings, call logs, device contacts, SMS messages, location data, network activity.”
The developers describe EagleMsgSpy as a “comprehensive forensic cell phone monitoring product” that can obtain “real-time information about suspects’ cell phones through network monitoring without the suspect’s knowledge, monitor and summarize all criminal cell phone activities.”
The cybersecurity company attributed the surveillance program to a Chinese company called Wuhan Chinasoft Token Information Technology Co., Ltd. (aka Wuhan Zhongruan Tongzheng Information Technology Co., Ltd. and Wuhan ZRTZ Information Technology Co., Ltd.) citing overlapping infrastructure and links within the source code.
Lookout said internal company documents obtained from open directories of infrastructure controlled by the attacker hint at the possibility of an iOS component, although no such artifacts have yet been found in the wild.
What’s special about EagleMsgSpy is the fact that it apparently requires physical access to the target device to activate the information gathering operation by deploying the installer module, which is then responsible for delivering the main payload, otherwise known as MM or eagle_mm.
The surveillance client, for its part, can be obtained by various methods, such as QR codes or through a physical device that installs it on the phone when connected to USB. The tool, which is actively supported, is believed to be used by multiple customers of the software vendor, given that it requires them to enter a “channel” corresponding to an account.
EagleMsgSpy Android version is designed to intercept incoming messages, collect data from QQ, Telegram, Viber, WhatsApp and WeChat, initiate screen recording with Media Projection APIand take screenshots and audio recordings.
It is also equipped to collect call logs, contact lists, GPS coordinates, network and Wi-Fi connection details, external storage files, bookmarks from the device’s browser and list of applications installed on the devices. The accumulated data is then compressed into password-protected archive files and transmitted to the control server (C2).
Unlike the early versions of EagleMsgSpy, which used several obfuscation techniques, the latest versions use an open source application protection tool called ApkToolPlus to hide classes. The monitoring module communicates with C2 via WebSockets using STAMP a protocol for providing status updates and receiving further instructions.
“EagleMsgSpy C2 servers host an administrative panel that requires user authentication,” Balaam said. “This admin panel is implemented using the AngularJS framework with appropriately configured routing and authentication that prevent unauthorized access to the extensive admin API.”
It is this panel source code that contains functions like “getListIOS()” to distinguish between device platforms, hinting at the existence of an iOS version of the tracking tool.
Lookout’s investigation revealed that the panel allows customers, likely law enforcement agencies located in China, to trigger real-time data collection from infected devices. Another link pointing to China is a hard-coded Wuhan phone number listed in several EagleMsgSpy samples.
Hacker news too identified several patent applications filed by Wuhan ZRTZ Information Technology Co, Ltd., which address various methods that can be used to “collect and analyze customer data, such as certain types of data, such as a suspect’s cell phone call recording, short messages, address book, instant chat software (QQ, WeChat, Momo, etc.) and so on, and create a relationship diagram between the suspect and others.”
Another patent details an “automated evidence collection method and system,” indicating that the company behind EagleMsgSpy is primarily focused on developing products suitable for use by law enforcement agencies.
“It’s entirely possible that the company included the methodologies described in their patent applications, particularly where they claim to have developed unique methods for creating correlation diagrams between victim datasets,” Balaam told The Hacker News. “However, we have no idea how the company handled the server-side data that was stolen from the victims’ devices.”
Moreover, Lookout said it identified two IP addresses associated with EagleMsgSpy C2 SSL certificates (202.107.80(.)34 and 119.36.193(.)210) that were used by other China-linked tracking tools such as PluginPhantom and CarbonStealboth of which have been used for the Tibetan and Uyghur communities in the past.
“The malware is hosted on victim devices and configured through access to an unlocked victim device,” the company said. “Once installed, the headless payload runs in the background, hiding its activity from the user of the device and collecting a large amount of data from the user. Public CFPs for similar systems indicate that this tracking tool or similar systems are used by many public safety agencies. in China”.
