Emerging Threat: APT41 Unleashes WyrmSpy and DragonEgg Spyware, Focusing on Mobile Devices

Introduction:

APT41, a highly active nation-state actor with ties to China, has recently been connected to two previously unknown strains of Android spyware named WyrmSpy and DragonEgg (discovered by Lookout, an end-point). This threat actor is notable for its extensive range of cyber activities, which include both state-sponsored espionage and financially motivated cybercrime. APT41 has been active since at least 2012 and has targeted a wide array of industries and organizations worldwide.

The exact method used for the initial intrusion in the mobile surveillanceware campaign is believed to have relied on social engineering techniques. Lookout, a cybersecurity firm, reported its first identification of WyrmSpy back in 2017, and DragonEgg was discovered at the beginning of 2021. As recently as April 2023, new samples of DragonEgg were detected, indicating ongoing activity by the threat actors.

 

WyrmSpy:

WyrmSpy, a spyware strain present since at least 2017, commonly masquerades as a default Android system application responsible for notification display. However, in recent versions, it has been concealed within apps pretending to offer adult video content, posing as the Chinese food delivery platform Baidu Waimai, or disguising itself as Adobe Flash. Once successfully installed on a device, WyrmSpy avoids requesting user permissions but instead employs rooting tools to elevate privileges. This allows it to execute various commands directed by the attacker-controlled C2 (command-and-control) server.

 

DragonEgg:

Similar to WyrmSpy, DragonEgg infiltrates malicious apps, which can vary from third-party keyboards to a modified version of Telegram. Upon installation, DragonEgg requests extensive permissions from the user, enabling it to pilfer various data, including contacts, SMS messages, files stored externally, location information, photos, and audio recordings.

There is currently no evidence indicating that the rogue apps containing WyrmSpy and DragonEgg were distributed through the Google Play Store. The precise number of victims targeted by these spyware strains remains unknown and has not been determined yet. “The discovery of WyrmSpy and DragonEgg is a reminder of the growing threat posed by advanced Android malware,” Kristina Balaam, a senior threat researcher at Lookout, said. “These spyware packages are highly sophisticated and can be used to collect a wide range of data from infected devices. We urge Android users to be aware of the threat and to take steps to protect their devices, work and personal data.”

 

To protect your business and personal Android devices from WyrmSpy and DragonEgg, please follow the recommendations as listed below:

  1. Install Apps Only from Trusted Sources: Download apps exclusively from the official Google Play Store or other reputable app stores.
  2. Regularly Update Software: Keep your Android OS and all installed apps up to date. Regular updates often include security patches that protect against known vulnerabilities.
  3. Review App Permissions: Before installing an app, review the permissions it requests. Be cautious of apps asking for excessive access to your personal data or device functions.
  4. Stay Wary of Suspicious Links: Avoid clicking on links from unknown sources, especially in emails or messages. They may lead to phishing attempts or malware downloads.
  5. Use a Reliable Mobile Security App: Install a reputable mobile security app from a trusted provider. These apps can help detect and block malicious software.
  6. Regularly Back Up Your Data: Create backups of your important data and store them securely. This ensures you can recover your data in case of any security incidents.
  7. Educate Yourself and Employees: Educate yourself and your employees about common cybersecurity risks and best practices to avoid falling victim to scams or malware.