Threat Research

Lookout Discovers New Chinese Surveillance Tool Used by Public Security Bureaus

Lookout
Lookout Discovers New Chinese Surveillance Tool Used by Public Security Bureaus

Researchers at Lookout Threat Lab have uncovered a surveillance tool named EagleMsgSpy, used by Chinese law enforcement to extract sensitive data from mobile devices. This tool, requiring physical access for installation, can capture a wide range of information including messages, location data, and call logs. The existence of an iOS variant is suggested but not yet found. Affected: mobile devices, law enforcement, public security bureaus

Keypoints :

  • Discovery of EagleMsgSpy surveillance tool by Lookout Threat Lab.
  • Used by law enforcement in China to gather extensive data from mobile devices.
  • Requires physical access for installation onto devices.
  • Internal documentation hints at the existence of an iOS version.
  • Installer app allows multiple configuration options and requires a user “channel” for operation.
  • Collects detailed information such as call logs, messages, contacts, and GPS data.
  • Data is exfiltrated to command-and-control (C2) servers after being encrypted.
  • EagleMsgSpy is reportedly maintained by Wuhan Chinasoft Token Information Technology Co., Ltd.
  • Ties to various public security bureaus in mainland China indicate widespread use.
  • Similarities with other Chinese surveillance tools highlight broader surveillance efforts in the region.

MITRE Techniques :

  • Techniques: Data Encrypted (T1027) – The payload utilizes encryption for data exfiltration.
  • Techniques: Input Capture (T1056) – Captures screen recordings, screenshots, and audio while the device is in use.
  • Techniques: Data Collection (T1119) – Collects various types of information including call logs, messages, and GPS data from the device.
  • Techniques: Command and Control (T1071) – Establishes communication with C2 servers for data exfiltration.

Indicator of Compromise :

  • [IP Address] 61.136.71[.]171
  • [Domain] tzsafe[.]com
  • [Domain] xkong.tzsafe[.]com
  • [IP Address] 202.107.80[.]34
  • [SHA1] dab40467824ff3960476d924ada91997ddfce0b0fef7ad2b74db3e42909c04816c66c61c61b7a…

Full Story: https://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint