A sophisticated surveillance program, dubbed EagleMsgSpy, has been discovered by cybersecurity researchers at Lookout. The tool, believed to be used by Chinese police departments for lawful interception, has been active since 2017 and was last detected in September 2024.
Key Features and Capabilities:
– Collects extensive mobile device data, including chat messages, screen recordings, audio, call logs, contacts, and location information
– Requires physical access to target devices for installation
– Targets multiple messaging platforms including QQ, Telegram, WhatsApp, and WeChat
– Utilizes WebSocket communication with command-and-control servers
– Features an administrative panel for law enforcement monitoring
Technical Implementation:
The surveillance system consists of two components:
1. An installer APK
2. A headless surveillance client (MM or eagle_mm)
Attribution and Development:
– Developed by Wuhan Chinasoft Token Information Technology Co., Ltd.
– Evidence suggests possible iOS version existence
– Connected to previously identified Chinese surveillance tools (PluginPhantom and CarbonSteal)
– Multiple patent applications confirm law enforcement applications
Security Measures:
– Recent versions implement ApkToolPlus for code obfuscation
– Uses password-protected archives for data exfiltration
– Employs STOMP protocol for C2 communication
The tool appears to be actively maintained and used by multiple Chinese law enforcement agencies, with infrastructure primarily based in Mainland China. Its sophisticated data collection capabilities and stealth mechanisms make it a powerful surveillance instrument for law enforcement operations.