Researchers uncovered EagleMsgSpy, a mobile surveillance tool used by Chinese law enforcement that collects extensive data (messages, calls, GPS, audio, screenshots) and requires physical access to install. Lookout links development and ongoing maintenance to Wuhan Chinasoft Token Information Technology Co., Ltd and found C2/admin infrastructure (tzsafe domains) tied to public security bureaus across China. #EagleMsgSpy #WuhanChinasoft
Keypoints
- EagleMsgSpy is an Android-targeted surveillance family active since at least 2017 and requires physical access to the unlocked device for installation.
- The toolβs installer delivers a headless payload that collects messages, call logs, contacts, GPS, screenshots, screen recordings, audio, app lists, browser bookmarks and file listings.
- Collected data is staged in a hidden directory, compressed, password-protected and exfiltrated to command-and-control (C2) servers managed via an authenticated admin panel labeled β维稳η ε€η³»η»β.
- Lookout found evidence in source code and admin panels implying an iOS component exists though it has not yet been located.
- Infrastructure and string overlap (tzsafe) link EagleMsgSpy to Wuhan Chinasoft Token Information Technology Co., Ltd, and to multiple public security bureaus in mainland China.
- Researchers observed increasing obfuscation and encrypted key storage across variants, indicating active maintenance and efforts to evade detection.
MITRE Techniques
- No MITRE ATT&CK techniques were explicitly mentioned in the article.
Indicators of Compromise
- [File hashes] SHA1 samples from Lookout analysis β dab40467824ff3960476d924ada91997ddfce0b0, fef7ad2b74db3e42909c04816c66c61c61b7a8c4, and 25 more hashes
- [IP addresses] C2 and related infrastructure β 202.107.80[.]34, 119.36.193[.]210, and 11 more IPs
- [Domains] C2/admin and vendor infrastructure (tzsafe) β www.tzsafe[.]com, eagle.tzsafe[.]com, and 11 more domains
Read more: https://www.lookout.com/threat-intelligence/article/eaglemsgspy-chinese-android-surveillanceware