Security researchers have discovered a new surveillance tool they say Chinese law enforcement is using to collect sensitive information from Chinese Android devices.
The tool, named EagleMsgSpy, was discovered by researchers at US cybersecurity company Lookout. The company announced Wednesday at the Black Hat Europe conference that it had obtained several variants of the spyware, which it said had been in operation since “at least 2017.”
Christina Ballam, senior intelligence researcher at Lookout, told TechCrunch that the spyware is used by “many” public security bureaus in mainland China to collect “extensive” information from mobile devices. . This includes call logs, contacts, GPS coordinates, bookmarks, and messages from third-party apps like Telegram and WhatsApp. According to research Lookout shared with TechCrunch, EagleMsgSpy can also initiate screen recordings on smartphones and can also capture audio recordings of the device while in use.
A manual obtained by Lookout states that the app “obtains the suspect's mobile phone information in real time through network control without the suspect's knowledge, and monitors and aggregates all activities on the criminal's mobile phone.” It is described as a “comprehensive mobile phone judicial surveillance product.''
Balaam said he assesses with “high confidence” that EagleMsgSpy was developed by a private Chinese technology company called Wuhan Zhongsoft Token Information Technology, due to the overlap in infrastructure. He said the tool's infrastructure also reveals the developer's relationship with mainland China's Public Security Bureau, a government agency that basically acts as a local police station.
The number and number of individuals targeted by EagleMsgSpy is still unknown. Ballam noted that while the tool is likely primarily used for domestic surveillance, “anyone traveling to the region could be at risk.”
“If it's just domestic surveillance, they're going to build infrastructure in places that we can't access from North America,” Balam said. “I think this gives a little bit of insight into the fact that they want to be able to track people who leave the country, whether they're Chinese nationals or not.”
Lookout said it also observed two IP addresses associated with EagleMsgSpy used in other China-related surveillance tools, including Carbon Steel, which was used in previous campaigns targeting Tibetan and Uyghur communities. said.
Lookout notes that EagleMsgSpy currently requires physical access to the target device. However, Ballam told TechCrunch that the tool will still be in development by the end of 2024, and that it's “very possible” that EagleMsgSpy could be modified to no longer require physical access.
Lookout noted that internal documents it obtained hint at the presence of an as-yet-undiscovered iOS version of the spyware.