APT41 hackers target Android users with WyrmSpy, DragonEgg spyware

The Chinese state-backed APT41 hacking group is targeting Android devices with two newly discovered spyware strains dubbed WyrmSpy and DragonEgg by Lookout security researchers.

APT41 is one of the oldest state hacking groups with a history of targeting various industries in the USA, Asia, and Europe.

They are known for conducting cyber-espionage operations against entities across various industry sectors, including software development, hardware manufacturing, think tanks, telcos, universities, and foreign governments.

The group has been tracked under various names by multiple cybersecurity companies. Kaspersky has been monitoring their activity since 2012 as Winnti to identify the malware employed in their attacks.

Similarly, Mandiant has also been tracking them since 2014 and noticed their activities overlapped with other known Chinese hacking groups like BARIUM.

The U.S. Department of Justice charged five Chinese nationals linked to APT41 in September 2020 for their involvement in cyberattacks on more than 100 companies.

"Unlike many nation-state-backed APT groups, APT41 has a track record of compromising both government organizations for espionage, as well as different private enterprises for financial gain," Lookout said in a report published this week.

The Android spyware link

While APT41 hackers usually breach their targets' networks via vulnerable web apps and Internet-exposed endpoints, Lookout says the group also targets Android devices with WyrmSpy and DragonEgg spyware strains.

Lookout first identified WyrmSpy in 2017 and DragonEgg in early 2021, with the most recent example dating back to April 2023.

Both Android malware strains come with extensive data collection and exfiltration capabilities activated on compromised Android devices after deploying secondary payloads.

While WyrmSpy disguises itself as a default operating system app, DragonEgg is camouflaged as third-party keyboard or messaging apps, using these guises to evade detection.

The two malware strains also share overlapping Android signing certificates, strengthening their connection to a single threat actor.

Lookout discovered their link to APT41 after finding a command-and-control (C2) server with the 121.42.149[.]52 IP address (resolving to the vpn2.umisen[.]com domain and hard-coded into the malware source code).

The server was part of APT41's attack infrastructure between May 2014 and August 2020, as revealed in the U.S. Department of Justice's September 2020 indictment.

"Lookout researchers have not yet encountered samples in the wild and assess with moderate confidence that they are distributed to victims through social engineering campaigns. Google confirmed that based on current detection, no apps containing this malware are found to be on Google Play," Lookout said.

However, APT41's interest in Android devices "shows that mobile endpoints are high-value targets with coveted data."