Scroll Top

Chinese APT41 group targets Android devices with WyrmSpy and DragonEgg malware

Scherm­afbeelding 2023-07-21 om 15.40.22

In a concerning development, the Chinese-based state-sponsored espionage group, APT41, has been actively targeting Android devices with sophisticated spyware, known as WyrmSpy and DragonEgg. Disguised as legitimate applications, these malicious programs have raised significant security concerns for users worldwide.

APT41’s notorious espionage activities
APT41, which has been operating since 2012, has a history of launching attacks against a wide range of sectors, including software development, hardware manufacturers, telecommunications, social media, and video games. The group’s extensive activities have impacted both public and private organizations globally.

Indictments and extensive compromises
According to U.S. grand jury indictments from 2019 and 2020, APT41 has been involved in compromising over 100 organizations and individuals in the United States and beyond. Their ability to infiltrate sensitive systems and gain unauthorized access to critical data has raised alarms among cybersecurity experts.

Lookout threat lab tracks spyware
Researchers from Lookout Threat Lab have been diligently tracking the WyrmSpy and DragonEgg spyware and have shared a detailed analysis report of their findings. The report sheds light on the dangerous capabilities and potential impact of these malicious programs.

WyrmSpy: An impersonating Spyware
WyrmSpy initially camouflages itself as legitimate Android applications, primarily focusing on showing notifications to users. Once successfully installed on a device, it requests multiple device permissions to enable data exfiltration. It is worth noting that, as of the current detection, no apps containing WyrmSpy have been found on Google Play.

Once active, WyrmSpy can gather sensitive information, including log files, photos, device location, SMS messages (both reading and writing), and even audio recordings. It goes beyond the surface and utilizes known rooting tools to gain escalated privileges, enabling it to conduct surveillance activities specified by commands received from its command-and-control (C2) servers.

DragonEgg: Extracting sensitive data
Similarly, DragonEgg also operates by mimicking legitimate applications, using the payload “smallmload.jar” received from its C2 infrastructure or bundled with the APK. The malware seeks additional functionality similar to WyrmSpy and often requests permissions for services that are not genuinely used in the main app.

Once DragonEgg successfully compromises a device, it can extract various data, including device contacts, SMS messages, external device storage files, device location, audio recordings, and camera photos. Like WyrmSpy, DragonEgg relies on C2 commands and configuration files to dictate how it interacts with the compromised device and what data to extract.

A call for vigilance
As the threat of APT41’s Android-targeting spyware looms, users are urged to exercise caution while installing applications and to be vigilant against suspicious requests for permissions. Maintaining up-to-date security measures, such as using reputable antivirus software, can help protect against potential threats. continues to monitor such developments, providing essential insights to safeguard users and organizations against cyber threats and ensuring a safer digital landscape for all.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.