Keypoints
- Lookout links WyrmSpy and DragonEgg to APT41 through shared Android signing certificates and C2 overlap tied to Chengdu 404.
- WyrmSpy and DragonEgg are modular: core APKs request extensive permissions and then download secondary/tertiary payloads (e.g., smallmload.jar) to enable surveillance features.
- WyrmSpy attempts device rooting using known tools (KingRoot, IovyRoot/IvyRoot) and can disable SELinux on compatible Android versions.
- Both families use hard-coded or configured C2 entries (notably 121.42.149[.]52 and vpn2.umisen[.]com) and configuration files (ManifestFile.json) to control behaviors and beaconing intervals.
- Observed or likely data collection includes log files, photos, contacts, SMS, external storage, device location, audio recordings, and camera images.
- DragonEgg commonly trojanizes messaging/keyboard apps and loads a secondary payload that fetches a tertiary “forensics program (T1 version).”
MITRE Techniques
- None – The article does not explicitly reference MITRE ATT&CK technique IDs or names (‘Lookout Threat Lab researchers have been actively tracking both spyware and providing coverage to Lookout Mobile Endpoint Security customers.’).
Indicators of Compromise
- [SHA1] WyrmSpy samples – 92ddbe438c8c8c1ef82fa5bb02e526db10829736, 0b4a9a3f167178054ef9f9a97463cbe31f078c2f, and 40+ other hashes
- [SHA1] DragonEgg samples – b456a61a3e0ac6073a716b06293a3295a261de56, 209567f4f28c5c8abcbe56d789e558aa64239534, and 3 more hashes
- [Infrastructure IPs] C2 and hosting – 121.42.149[.]52, 116.205.4[.]18 (used as resolving/communication endpoints)
- [Domains/Subdomains] C2 and related domains – vpn2.umisen[.]com, update.umisen[.]com, dns.win10micros0ft[.]com, www.andropwn[.]xyz
- [File names] Secondary/Config artifacts – smallmload.jar, ManifestFile.json
- [Tooling/Artifacts] Rooting and device modification – KingRoot, IovyRoot/IvyRoot (bundled or fetched rooting tools)
- [WHOIS/Registrant] Domain registration artifact – huliwahaha@gmail[.]com (WHOIS for umisen[.]com linked to Chengdu 404 registrant)
WyrmSpy and DragonEgg operate as lightweight launcher APKs that request broad Android permissions, then fetch additional modules to perform the bulk of surveillance and exfiltration. WyrmSpy includes built-in logic to create and update local configuration files on startup (including a downloaded ManifestFile.json) that dictate beaconing intervals, file upload/download lists, and shell commands; DragonEgg typically retrieves a secondary payload named smallmload.jar which in turn loads a tertiary “forensics program (T1 version).”
WyrmSpy attempts privilege escalation by invoking known rooting tools (KingRoot, IovyRoot/IvyRoot) and can disable SELinux where applicable; if bundled rooters fail, the implant queries C2 with device model/kernel and downloads device-specific rooting binaries. Both families rely on hard-coded or configured C2 endpoints (notably 121.42.149[.]52 and related umisen[.]com subdomains) and use those channels to receive commands that toggle collection flags (e.g., AudioRecord, Files) and to exfiltrate collected artifacts.
Collected and exfiltrated data include log files, photos, camera images, contacts, SMS messages, external storage files, device location (via Baidu Location library), and audio recordings. DragonEgg’s tactic of trojanizing legitimate messaging or keyboard apps helps it blend in while requesting sensitive permissions, and the modular architecture (core APK → smallmload.jar → T1 module) enables dynamic capability updates from C2 infrastructure.
Read more: https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41