The notorious Chinese threat group APT41, also known as Double Dragon, BARIUM, and Winnti, has recently been attributed to developing and deploying advanced Android surveillanceware. Lookout has identified two strains of malware called WyrmSpy and DragonEgg. These discoveries shed light on APT41’s expansion into mobile platforms, emphasizing the growing threat of sophisticated Android malware.
APT41: State-Sponsored Espionage Group
APT41 is a state-sponsored espionage group based in China with a history dating back to 2012. Unlike many other nation-state-backed APT groups, APT41 has a track record of targeting government organizations for espionage purposes and private enterprises for financial gain. The group has compromised over 100 organizations and individuals globally, including the United States, Australia, Japan, India, South Korea, Singapore, and Taiwan. Its victims encompass various sectors such as software development, computer hardware manufacturing, telecommunications, social media, video games, education, and government bodies.
In 2019 and 2020, the U.S. Department of Justice indicted five individuals associated with APT41. Three of them, Jiang Lizhi, Qian Chuan, and Fu Qiang, hold leadership positions in Chengdu 404 Network Technology Co., Ltd., also known as “Chengdu 404.” The indictment charged these individuals with multiple cyber-related crimes, including conspiracy, money laundering, fraud, and unauthorized access to protected computers.
WyrmSpy and DragonEgg
WyrmSpy and DragonEgg are sophisticated Android surveillanceware attributed to APT41 by Lookout researchers. While APT41 is renowned for targeting web-facing applications and traditional endpoint devices, the discovery of these malware instances highlights the group’s expansion into mobile platforms.
WyrmSpy masquerades as a default Android system app, while DragonEgg poses as a third-party keyboard or messaging app. Both malware strains employ sophisticated data collection and exfiltration techniques, hiding these functionalities in additional modules downloaded after installation.
Deployment and Targeting
The exact method of deploying WyrmSpy and DragonEgg remains unclear; however, researchers speculate that social engineering tactics are employed. These malware instances have not been found on the Google Play Store, suggesting alternative distribution channels.
WyrmSpy variants have been disguised as various apps, including adult video content, the “Baidu Waimai” food delivery platform, and Adobe Flash. DragonEgg, on the other hand, has been observed in the form of fake Android keyboards and messaging apps such as Telegram.
Notable Capabilities
WyrmSpy and DragonEgg request extensive device permissions upon installation. They rely on additional modules, downloaded after installation, to enable data collection and exfiltration. The capabilities of each malware strain are as follows:
WyrmSpy:
- Gain escalated privileges and perform surveillance activities using known rooting tools and disabling SELinux.
- Upload log files, photos, and device location using the Baidu Location library.
- Exfiltrate additional data such as SMS messages and audio recordings.
DragonEgg:
- Request permissions beyond those required by the core app to remain inconspicuous.
- Acquire and exfiltrate device contacts, SMS messages, external device storage files, location, audio recordings, and camera photos.
- Technical Analysis and Connection to APT41
The connection between WyrmSpy, DragonEgg, and APT41 is established through overlapping Android signing certificates. WyrmSpy introduced unique signing certificates that were later observed in use by DragonEgg developers. Furthermore, the command-and-control (C2) infrastructure hard-coded into WyrmSpy’s source code linked back to the Chinese company Chengdu 404, associated with individuals indicted by the U.S. Department of Justice.
Conclusion
The discovery of WyrmSpy and DragonEgg highlights the evolving threat landscape of advanced Android malware. APT41’s expansion into mobile platforms demonstrates the increasing value of mobile endpoints as targets for espionage and data theft. Organizations and individuals must remain vigilant against such threats, employing robust cybersecurity measures to protect their devices and sensitive data.
