China's APT41 Linked to WyrmSpy, DragonEgg Mobile Spyware

Researchers have attributed two known Android surveillanceware programs — WyrmSpy and DragonEgg — to China's APT41.

APT41 (aka Winnti, BARIUM, Double Dragon) is a Chinese state-sponsored threat actor known equally for its espionage campaigns against government agencies and enterprises. It has compromised public and private organizations in the Asia-Pacific, but also has struck as far away as Australia, India, the United States, and beyond, gaining such notoriety that five of its members have been indicted by the US Department of Justice.

Often, APT41 has targeted endpoint devices and internet-exposed Web applications for its exploits. But as Lookout researchers described in a report published July 19, the group also occasionally dips its toes into mobile attacks, too, delivering spyware masked as Android applications.

We know this now because WyrmSpy and DragonEgg have used overlapping Android code signing certificates, indicating that they come from the same developers. And early samples of the former's source code included a hardcoded command-and-control (C2) server address, which resolved to the subdomain vpn2.umisen[.]com. The Justice Department linked vpn2.umisen[.]com with APT41 in its 2020 indictment.

Here Be Cyber Dragons: Inside WyrmSpy & DragonEgg

Befitting its stature, APT41's surveillanceware is a cut above most out in the wild.

For example, "a lot of malware authors, for lack of a better adjective, are a little bit lazy. They might just ask for all of the permissions under the sun and hope nobody notices when they're actually trying to compromise the device. But the threat actors have gone a step further here," says Kristina Balaam, senior security intelligence engineer at Lookout.

Consider WyrmSpy, which has been around since at least 2017. It most often disguises itself as a default Android system application for displaying notifications, though more recent variants have been hidden inside of apps pretending to be adult video content, the Chinese food delivery platform Baidu Waimai, and Adobe Flash. Once on a device, though, rather than just asking the user for permissions, it deploys rooting tools to escalate privileges before performing commands received from an attacker-controlled C2 server.

WyrmSpy is capable of reading log files and a device's location, exfiltrating audio files and photos, and reading or writing SMS messages.

"And then there's modularity," Balaam adds. "It's sometimes easier to have all of the surveillance functionality bundled within the base application, and you just send it out once you're good to go. In these cases, the attackers are consistently updating and iterating on the functionality that they've introduced."

WyrmSpy is modular, as is DragonEgg, first detected in 2021. Like WyrmSpy, DragonEgg nests inside of malicious apps, ranging from third-party keyboards to a trojanized version of Telegram, and asks the user for extensive permissions. It can steal a user's contacts, SMS messages, external device storage files, location, photos, and audio recordings.

A Surveillance State Goes Mobile

Exactly who or how many victims have been struck by these infostealers remains unknown.

"The challenging thing about this is that they're very generic in their targeting," Balaam laments. We might take it as a clue if the malware were packaged in an app aimed at a particular demographic, but Adobe Flash and Telegram are widespread general-use applications.

What is clear is that China has long used mobile spyware to target different groups. APT41 may be primarily concerned with governments and corporations, but previous campaigns have utilized similar Android malware to target Uyghur communities.

There's little any individual can do against the might of a group like APT41, but basic mobile security hygiene — like only downloading software from official app stores — is a place to start, Balaam says.

She also recommends antivirus for mobile platforms, even if it's the most basic. "At least then you're able to have detections for a lot of this surveillanceware, adware, banking Trojans — things you don't want on your device. You can get alerts and have those things removed by an application without having to figure it out yourself."