Chinese APT41 hackers unleashed their fiery wrath on unsuspecting Android users.
Updated trojans WyrmSpy and DragonEgg pretend to be keyboards and instant messengers, but out of sight of the victims they are busy with something completely different…
Chinese hacker group APT41, also known as Axiom, Blackfly and Wicked Panda, was recently linked by researchers to two Android spyware known as “WyrmSpy” and “DragonEgg”. This was reported by the experts of the company Lookout V in my new report .
APT41 has been active since at least 2007 and has been attacking companies across a wide range of industries to steal intellectual property. Recently, hackers have used a publicly available pentest tool called GC2.
The initial infection vector is unknown, but presumably the attackers used social engineering methods. Lookout first discovered WyrmSpy in 2017 and DragonEgg in early 2021. At the same time, new samples of the latter were registered until April 2023.
WyrmSpy was originally disguised as a system notification app, and later versions pretended to be a Baidu Waimai delivery service, Adobe Flash Player, and even a pornography viewing app. DragonEgg was distributed under the guise of keyboards and instant messengers, for example, Telegram. Spies’ association with APT41 is confirmed using the same C2 server address.
After gaining a foothold in the system, malware requests malicious permissions and steals users’ photos, geodata, SMS, and audio recordings. They are also capable of loading additional modules for data collection and bypass detection.
WyrmSpy instances studied by the researchers could disable SELinux security on Android and receive root-access thanks to the KingRoot11 utility and the like. rights. But the distinguishing feature of DragonEgg is the loading of an unknown module masquerading as a computer forensics tool.
“The detection of WyrmSpy and DragonEgg is a reminder of the growing threat from advanced Android Trojans,” says Lookout Senior Threat Researcher Christina Balam.
“These spy tools are extremely sophisticated and allow you to collect a wide range of data from infected devices,” the expert concluded.
The main recommendation in Android malware protection is to install apps only from official app stores. Yes, and there you should not download everything in a row, always paying attention to the publisher and reviews of the selected application.