6-Year Chinese Surveillance Campaign Exposed: EagleMsgSpy’s Massive Mobile Data Theft Operation

6-Year Chinese Surveillance Campaign Exposed: EagleMsgSpy's Massive Mobile Data Theft Operation

Chinese Police Surveillance Tool “EagleMsgSpy” Exposed

A sophisticated surveillance program, dubbed EagleMsgSpy, has been discovered by cybersecurity researchers at Lookout. The tool, believed to be used by Chinese police departments for lawful interception, has been active since 2017 and was last detected in September 2024.

Key Features and Capabilities:
– Collects extensive mobile device data, including chat messages, screen recordings, audio, call logs, contacts, and location information
– Requires physical access to target devices for installation
– Targets multiple messaging platforms including QQ, Telegram, WhatsApp, and WeChat
– Utilizes WebSocket communication with command-and-control servers
– Features an administrative panel for law enforcement monitoring

Technical Implementation:
The surveillance system consists of two components:
1. An installer APK
2. A headless surveillance client (MM or eagle_mm)

Attribution and Development:
– Developed by Wuhan Chinasoft Token Information Technology Co., Ltd.
– Evidence suggests possible iOS version existence
– Connected to previously identified Chinese surveillance tools (PluginPhantom and CarbonSteal)
– Multiple patent applications confirm law enforcement applications

Security Measures:
– Recent versions implement ApkToolPlus for code obfuscation
– Uses password-protected archives for data exfiltration
– Employs STOMP protocol for C2 communication

The tool appears to be actively maintained and used by multiple Chinese law enforcement agencies, with infrastructure primarily based in Mainland China. Its sophisticated data collection capabilities and stealth mechanisms make it a powerful surveillance instrument for law enforcement operations.

Share This Article