China-linked hackers target mobile devices with WyrmSpy and DragonEgg spyware

The infamous Chinese hacking group tracked as APT41 has been using two newly-identified spyware strains to infect Android devices, cybersecurity researchers said.

APT41, also known as Winnti and Brass Typhoon (formerly Barium), is a state-sponsored espionage group that has been active for more than a decade and is known for targeting government organizations for intelligence gathering purposes and private enterprises for financial gain.

APT41has historically exploited web applications and network-connected devices such as computers, tablets, and printers. It doesn't typically target mobile platforms, according to research released Wednesday by U.S. security firm Lookout, which found links between the group and two Android spyware strains that it calls WyrmSpy and DragonEgg.

Lookout said the spyware was sophisticated and could be used to collect victims’ camera photos, device location, SMS messages, audio recordings and contacts.

WyrmSpy pretends to be a default operating system app used for displaying notifications to the user, while DragonEgg disguises itself as a third-party keyboard and messaging app like Telegram.

The researchers said they were able to connect APT41 to the malware because they use a command-and-control server with an IP address and domain associated with the group’s infrastructure.

Researchers said they first detected WyrmSpy as early as 2017 and DragonEgg at the start of 2021, but they aren’t widespread. Lookout believes they are likely distributed to victims through social engineering campaigns. No apps containing this malware were found on Google Play.

Although the strains haven’t been widely used yet, their attribution to Chinese hackers is important, according to Lookout.

The fact that “an established threat actor like APT41 is turning its focus to mobile devices shows that mobile platforms are high-value targets for hackers,” the researchers said.