A Chinese-based state-sponsored espionage group, APT41 targets Android devices through spyware wyrmspy and Dragon egg which masquerades as legit applications.
This group has been active since 2012 and targets both public and private sectors related to software development, hardware manufacturers, telecommunications, social media, video games, etc.
According to U.S. grand jury indictments from 2019 and 2020, the group was involved in compromising over 100 public and private organizations and individuals in the United States and around the world.
Lookout Threat Lab researchers have been actively tracking both spyware and shared their detailed analysis report.
Spyware Attack Android Devices
Initially, this malware imitates legitimate Android applications for showing notifications; once successfully installed on the user’s machine, it claims multiple device permission to enable data exfiltration.
Google confirmed that based on current detection, no apps containing this malware are found to be on Google Play.
Wyrmspy can collect log files, photos, Device location, SMS messages (read and write), and Audio recordings.
Utilizes known rooting tools to gain escalated privileges to the device and perform surveillance activities specified by commands received from its C2 servers.
Dragon egg receives payload, often called “smallmload.jar,” from either the C2 infrastructure or a file bundled with the APK.
This file tries to get and launch more functionality like WyrmSpy; the DragonEgg samples ask for many permissions for services that aren’t actually used in the main app.
Dragon Egg is also able to collect data like Device contacts, SMS messages, External device storage files, Device location, Audio recording, and Camera photos once it successfully compromises the device.
Both the Dragon Egg and WyrmSpy require commands from C2 and use configuration files to decide how to respond to the compromised device and what data to extract.