Threat Actor: Wuhan Chinasoft Token Information Technology Co., Ltd. | Wuhan Chinasoft Token Information Technology Co., Ltd.
Victim: Various mobile device users | mobile device users
Price: Not publicly disclosed
Exfiltrated Data Type: Sensitive personal information
Key Points :
- EagleMsgSpy is a sophisticated surveillance tool used by law enforcement in China since at least 2017.
- The tool can covertly monitor mobile devices, extracting real-time information without the user’s knowledge.
- It requires physical access to an unlocked device for installation, using a “headless” payload that operates silently.
- Capabilities include monitoring notifications, intercepting messages, capturing screenshots, and recording audio.
- Data collected is stored in hidden directories, compressed, and sent to command-and-control servers.
- Connections to Wuhan Chinasoft Token Information Technology Co., Ltd. indicate state-sponsored surveillance efforts.
- Historical use of similar tools has targeted ethnic minorities, raising significant human rights concerns.
Researchers at the Lookout Threat Lab have identified a sophisticated surveillance tool, dubbed EagleMsgSpy, reportedly used by law enforcement agencies in mainland China. The tool, operational since at least 2017, showcases advanced capabilities for extracting sensitive information from mobile devices.
The researchers describe EagleMsgSpy as a “comprehensive mobile phone judicial monitoring product,” designed to covertly monitor devices. According to the report, it “can obtain real-time mobile phone information of suspects through network control without the suspect’s knowledge, monitor all mobile phone activities of criminals and summarize them.” Notably, this tool has variants targeting both Android and potentially iOS devices, though evidence of the latter remains undiscovered.
The installation process is particularly concerning, as it reportedly requires physical access to an unlocked device. An installer app delivers a “headless” payload, which operates silently in the background. The payload enables:
- Monitoring incoming notifications and intercepting messages from apps like QQ, WhatsApp, and Telegram.
- Capturing screenshots, audio recordings, and device activity via screen recording.
- Collecting detailed call logs, GPS locations, Wi-Fi connections, and browser bookmarks.
- Initiating real-time surveillance actions such as blocking calls or recording live audio.
Once collected, the data is stored in hidden directories on the device, compressed, and password-protected before being exfiltrated to command-and-control (C2) servers.
The Lookout team identified key infrastructure overlaps linking EagleMsgSpy to a Chinese technology company, Wuhan Chinasoft Token Information Technology Co., Ltd. (武汉中软通证信息技术有限公司). Their investigation uncovered significant evidence, including references to the company’s domain in promotional materials and C2 infrastructure.
Additionally, the administrative panel for EagleMsgSpy’s C2, labeled as a “Stability Maintenance Judgment System” (维稳研判系统), further underscores its use in law enforcement contexts. Publicly available contracts suggest similar systems are widely employed by Public Security Bureaus (PSBs) across China.
The report notes an evolution in obfuscation techniques, indicating active maintenance and enhancement of the tool. The researchers observed, “This indicates that this surveillanceware is an actively maintained product whose creators make continuous efforts to protect it from discovery and analysis.”
EagleMsgSpy’s connections to earlier Chinese surveillance tools, such as PluginPhantom and CarbonSteal, reveal a pattern of state-sponsored monitoring. Historical campaigns using these tools targeted ethnic minorities, including Uyghurs and Tibetans, raising concerns about potential human rights implications.
Related Posts:
Original Source: https://securityonline.info/eaglemsg-spyware-unmasking-a-sophisticated-chinese-surveillance-tool/