A cybersecurity firm has identified a China-linked cyberespionage group APT41, also known as Winnti, Axiom, Barium, Blackfly, and HOODOO, which has been using two previously unknown Android spyware named WyrmSpy and DragonEgg. APT41 has been active since at least 2007 and has not slowed down despite recent indictments by the U.S. government. The group is now targeting mobile devices, considering them high-value targets for their cyber espionage operations.
The researchers linked WyrmSpy and DragonEgg by identifying overlapping Android signing certificates. Some versions of WyrmSpy were found to use unique signing certificates later used by the author of DragonEgg. Additionally, they discovered a connection between the malware’s Command and Control (C2) infrastructure and Chengdu 404, as evidenced by the use of an IP address associated with APT41’s hacking infrastructure between May 2014 and August 2020.
Researchers first detected WyrmSpy in 2017 and DragonEgg in early 2021, with the most recent samples of DragonEgg dating back to April 2023. WyrmSpy initially masquerades as a default Android system app for displaying notifications, but later variants disguise themselves as adult video content, the “Baidu Waimai” food delivery platform, and Adobe Flash. On the other hand, DragonEgg pretends to be third-party Android keyboards and messaging apps like Telegram.
After installation, both spyware requests extensive device permissions and rely on downloaded modules to exfiltrate data from infected devices. WyrmSpy can collect log files, photos, device location, SMS messages (read and write), and audio recordings. It gains escalated privileges on the device using known rooting tools and follows commands from its C2 servers to carry out surveillance activities. DragonEgg also utilizes additional payloads to implement sophisticated surveillance capabilities, collecting device contacts, SMS messages, external device storage files, device location, audio recordings, and camera photos.
WyrmSpy uses popular rooting tools like KingRoot11 and IovyRoot/IvyRoot12, and it can disable SELinux on compatible Android versions. If the packaged rooting tool fails or doesn’t exist, and if the device isn’t already rooted, the malware queries the C2 infrastructure with the device’s model and kernel version to receive a response containing a file name, which the malware uses to download additional rooting binaries from the C2 infrastructure if available. Notably, Google confirmed that the malicious apps were not detected on Google Play based on their current detection capabilities.
“If the packaged rooting tool does not work or does not exist, and if the device is not already rooted, the malware queries the C2 infrastructure with the model and kernel version of the infected device. It then receives a response containing a file name which the malware uses to download additional rooting binaries from C2 infrastructure if one exists for the specified device.” they conclude.