Jump to content
  • APT41 hackers target Android users with WyrmSpy, DragonEgg spyware

    alf9872000

    • 603 views
    • 3 minutes
     Share


    • 603 views
    • 3 minutes

    The Chinese state-backed APT41 hacking group is targeting Android devices with two newly discovered spyware strains dubbed WyrmSpy and DragonEgg by Lookout security researchers.

     

    APT41 is one of the oldest state hacking groups with a history of targeting various industries in the USA, Asia, and Europe.

     

    They are known for conducting cyber-espionage operations against entities across various industry sectors, including software development, hardware manufacturing, think tanks, telcos, universities, and foreign governments.

     

    The group has been tracked under various names by multiple cybersecurity companies. Kaspersky has been monitoring their activity since 2012 as Winnti to identify the malware employed in their attacks.

     

    Similarly, Mandiant has also been tracking them since 2014 and noticed their activities overlapped with other known Chinese hacking groups like BARIUM.

     

    The U.S. Department of Justice charged five Chinese nationals linked to APT41 in September 2020 for their involvement in cyberattacks on more than 100 companies.

     

    "Unlike many nation-state-backed APT groups, APT41 has a track record of compromising both government organizations for espionage, as well as different private enterprises for financial gain," Lookout said in a report published this week.

    The Android spyware link

    While APT41 hackers usually breach their targets' networks via vulnerable web apps and Internet-exposed endpoints, Lookout says the group also targets Android devices with WyrmSpy and DragonEgg spyware strains.

     

    Lookout first identified WyrmSpy in 2017 and DragonEgg in early 2021, with the most recent example dating back to April 2023.

     

    Both Android malware strains come with extensive data collection and exfiltration capabilities activated on compromised Android devices after deploying secondary payloads.

     

    While WyrmSpy disguises itself as a default operating system app, DragonEgg is camouflaged as third-party keyboard or messaging apps, using these guises to evade detection.

     

    The two malware strains also share overlapping Android signing certificates, strengthening their connection to a single threat actor.

     

    Lookout discovered their link to APT41 after finding a command-and-control (C2) server with the 121.42.149[.]52 IP address (resolving to the vpn2.umisen[.]com domain and hard-coded into the malware source code).

     

    The server was part of APT41's attack infrastructure between May 2014 and August 2020, as revealed in the U.S. Department of Justice's September 2020 indictment.

     

    "Lookout researchers have not yet encountered samples in the wild and assess with moderate confidence that they are distributed to victims through social engineering campaigns. Google confirmed that based on current detection, no apps containing this malware are found to be on Google Play," Lookout said.

     

    However, APT41's interest in Android devices "shows that mobile endpoints are high-value targets with coveted data."

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...