android
Image: Unsplash

China-linked hackers target mobile devices with WyrmSpy and DragonEgg spyware

The infamous Chinese hacking group tracked as APT41 has been using two newly-identified spyware strains to infect Android devices, cybersecurity researchers said.

APT41, also known as Winnti and Brass Typhoon (formerly Barium), is a state-sponsored espionage group that has been active for more than a decade and is known for targeting government organizations for intelligence gathering purposes and private enterprises for financial gain.

APT41has historically exploited web applications and network-connected devices such as computers, tablets, and printers. It doesn't typically target mobile platforms, according to research released Wednesday by U.S. security firm Lookout, which found links between the group and two Android spyware strains that it calls WyrmSpy and DragonEgg.

Lookout said the spyware was sophisticated and could be used to collect victims’ camera photos, device location, SMS messages, audio recordings and contacts.

WyrmSpy pretends to be a default operating system app used for displaying notifications to the user, while DragonEgg disguises itself as a third-party keyboard and messaging app like Telegram.

The researchers said they were able to connect APT41 to the malware because they use a command-and-control server with an IP address and domain associated with the group’s infrastructure.

Screenshot 2023-07-19 at 3.37.54 PM.png
An FBI wanted poster for Chinese nationals believed to be involved with APT41.

Researchers said they first detected WyrmSpy as early as 2017 and DragonEgg at the start of 2021, but they aren’t widespread. Lookout believes they are likely distributed to victims through social engineering campaigns. No apps containing this malware were found on Google Play.

Although the strains haven’t been widely used yet, their attribution to Chinese hackers is important, according to Lookout.

The fact that “an established threat actor like APT41 is turning its focus to mobile devices shows that mobile platforms are high-value targets for hackers,” the researchers said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.