Researchers have discovered a mobile surveillance tool called EagleMsgSpy, which was created by a Chinese software development company and has been in active use since at least 2017. The tool has only been deployed through physical access to the victims and is actively used by Chinese law enforcement.
The tool was discovered by security researchers at Lookout, whose code analysis revealed the IP address of a Command and Control (C2) server and an administrative control panel called “Stability Maintenance Judgment System.” A complete instruction manual was also found documenting the tool’s capabilities and how to use them. Once deployed. EagleMsgSpy gives the attackers access to the following.
- Notification Listener and Accessibility Services monitor device use and intercept incoming messages.
- Collects all messages from QQ, Telegram, Viber, WhatsApp and WeChat
- Initiates screen recording of the device through the Media Projection service
- Captures screenshots
- Captures audio recordings of the device while in use
- Collects call logs
- Collects device contacts
- Collects SMS messages
- Compiles a list of installed applications on the device
- Retrieves GPS coordinates
- Details wifi and network connections
- Compiles a list of files in external storage
- Collects bookmarks from the device browser
Source code analysis of the tool revealed code that could distinguish between Android or iOS devices, suggesting the existence of an iOS version. The researchers haven’t been able to find evidence that one exists at the moment.
Based on the IP address of the C2 server, the tool has been linked to Wuhan Chinasoft Token Information Technology Co., Ltd., a Chinese company with less than 50 employees created in 2016, just one year before the first signs of the tool’s use appeared.
Researchers believe the tool was developed and still maintained by this company. Based on the infrastructure overlap between the tool’s C2 server and domains used by several public security bureaus in mainland China, it’s expected that the tool was used in these regions. These public security bureaus are government offices that act as police stations responsible for social order and local policing.
In the News: Microsoft officially allows Windows 11 on incompatible PCs