Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware
Cyber Security Threat Summary:
Researchers at Lookout released a report on July 19, 2023, revealing that the Chinese espionage group APT41 is associated with the advanced Android surveillanceware known as WyrmSpy and DragonEgg. The report emphasized APT41’s well documented past of conducting espionage and seeking financial advantages by targeting government institutions and private companies.The surveillanceware tools utilize modules to conceal their malicious activities. WyrmSpy adopts the guise of a default Android system app, while DragonEgg disguises itself as a third party Android keyboard or messaging application.
Both malware implants possess extensive capabilities for data collection and exfiltration. These include acquiring log files, photos, device location, SMS messages, audio recordings, device contacts, external device storage files, and camera photos. Notably, WyrmSpy exploits known rooting tools to gain elevated privileges on infected devices. Regarding the connection outlined in the advisory, Lookout researchers established the attribution of WyrmSpy and DragonEgg to APT41 by identifying shared Android signing certificates and a link between the malware’s command and control infrastructure and Cengdu 404 Network Technology Co, a company associated with APT41.
Security Officer Comments:
According to researchers, WyrmSpy emerged in October 2020 and DragonEgg in January 2021. The security researchers specified that these threats were not observed in active distribution. Instead they reasonably believed that the malware reached victims through social engineering campaigns. The spyware packages exhibited remarkable sophistication and have the potential to extract diverse data from compromised devices. It is essential for Android users to be vigilant about this threat and implement measures to safeguard their devices.
Suggested Correction(s):
Keep your software updated. Only 20 percent of Android devices are running the newest version and only 2.3 percent are on the latest release. Everything from your operating system to your social network apps are potential gateways for hackers to compromise your mobile device. Keeping software up to date ensures the best protection against most mobile security threats.
Choose mobile security. Just like computers, your mobile devices also need internet security. Make sure to select mobile security software from a trusted provider and keep it up to date.
Install a firewall. Most mobile phones do not come with any kind of firewall protection. Installing a firewall provides you with much stronger protection against digital threats and allows you to safeguard your online privacy.
Always use a passcode on your phone. Remember that loss or physical theft of your mobile device can also compromise your information. Download apps from official app stores.
Both the Google Play and Apple App stores vet the apps they sell; third-party app stores don’t always. Buying from well-known app stores may not ensure you never get a bad app, but it can help reduce your risk.
Always read the end-user agreement. Before installing an app, read the fine print. Grayware purveyors rely on your not reading their terms of service and allowing their malicious software onto your device.
IOCs:
https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41
Link(s):
https://www.infosecurity-magazine.com/news/apt41-linked-wyrmspy-dragonegg/