Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mobile Surveillance Tool EagleMsgSpy Used by Chinese Law Enforcement

Lookout details EagleMsgSpy, a surveillance tool used by Chinese law enforcement to collect data from Android devices.

For years, Chinese law enforcement has been using a lawful surveillance tool to collect extensive data from Android devices, cybersecurity firm Lookout reports.

Dubbed EagleMsgSpy and created by a Chinese software development company, the tool has been in use since at least 2017, and has only been deployed through physical access to the victims’ devices.

The spyware consists of an installer APK, which is likely executed by law enforcement officers with access to an unlocked device, and a headless surveillance module that runs on the device and collects sensitive information.

“We believe that this is the only distribution mechanism and neither the installer nor the payload have been observed on Google Play or other app stores,” Lookout says.

However, the security firm discovered that the tool might be used by multiple customers of the Chinese software vendor, as it requires an account when executed.

EagleMsgSpy’s surveillance module collects SMS messages, communication from multiple messaging applications, call logs, contacts, and browser bookmarks, and can capture screenshots and record the device screen and audio.

It also compiles a list of installed applications and a list of files on external storage, retrieves the device’s GPS coordinates, and collects information on WiFi and cellular network connections.

The collected data is stored in a hidden directory and then compressed and password protected before being sent to the command-and-control (C&C) server, which also hosts an administrative panel that requires user authentication.

Advertisement. Scroll to continue reading.

Lookout’s analysis of the panel’s source code revealed multiple functions that distinguish between Android and iOS devices, but an iOS version of EagleMsgSpy has not been identified.

Based on the IP address of a C&C server, the surveillance tool has been linked to Wuhan Chinasoft Token Information Technology Co., Ltd., a Chinese technology company that appears to have been created in 2016, and which has less than 50 employees.

Lookout believes that the surveillance tool was developed and is maintained by the Chinese company and that several public security bureaus in mainland China (government offices acting as local police stations) are using it.

The cybersecurity firm also identified a link between EagleMsgSpy and CarbonSteal, a surveillance tool that has been used to spy on minorities in China, including Uyghurs and Tibetans.

Related: US, Israel Describe Iranian Hackers’ Targeting of Olympics, Surveillance Cameras

Related: US Sanctions Intellexa Executives as Surveillance Spyware Crackdown Expands

Related: Smart TV Surveillance? How Samsung and LG’s ACR Technology Tracks What You Watch

Related: House Passes Reauthorization of Key US Surveillance Program After Days of Upheaval Over Changes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.