CIO Influence
CIO Influence News Cloud Security

Lookout Discovers Advanced Android Surveillanceware Attributed to China’s APT41

LimaCharlie Unveils SecOps Cloud Platform

Lookout the endpoint-to-cloud security company announced the discovery of two new advanced Android surveillanceware instances, WyrmSpy and DragonEgg, attributed to the high-profile Chinese threat group APT41. Despite being indicted on multiple charges by the U.S. government for its attacks on more than 100 private and public enterprises in the U.S. and around the world, APT41’s tactics have evolved to include mobile devices. Customers of Lookout Mobile Endpoint Security are protected from these threats.

CIO INFLUENCE: JFrog Software Supply Chain Platform Delivers 393% ROI According to Total Economic Impact Study

“The discovery of WyrmSpy and DragonEgg is a reminder of the growing threat posed by advanced Android malware”

APT41, also known as Double Dragon, BARIUM and Winnti, is a state-sponsored espionage group that has been active since 2012. In August 2019 and August 2020, five of its hackers were charged by a federal grand jury in Washington, D.C. for a computer intrusion campaign that impacted dozens of companies in the United States and abroad, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, foreign governments and pro-democracy politicians and activists in Hong Kong.

Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT41 including mobile in its arsenal of malware shows how mobile endpoints are high-value targets with coveted corporate and personal data.

Threat discovery highlights:

  • Both WyrmSpy and DragonEgg have sophisticated data collection and exfiltration capabilities, and Lookout researchers believe they are distributed to victims through social engineering campaigns.
  • Both use modules to hide their malicious intentions and avoid detection.
  • WyrmSpy, which is capable of collecting a wide range of data from infected devices including log files, photos, device location, SMS messages and audio recordings, primarily masquerades as a default Android system app used for displaying notifications to the user. Later variants also package the malware into apps masquerading as adult video content, “Baidu Waimai” food delivery platform and Adobe Flash.
  • DragonEgg has been observed in apps purporting to be third-party Android keyboards and messaging applications such as Telegram.

To protect your business and personal Android devices from WyrmSpy and DragonEgg, Lookout recommends the following:

  • Keep your device’s software up to date.
  • Only install apps from trusted sources and only download them from the Google Play Store.
  • Be careful about what permissions you grant apps.
  • Use a mobile security solution like Lookout.

CIO INFLUENCE: World Password Day: Password advice for CIOs

“The discovery of WyrmSpy and DragonEgg is a reminder of the growing threat posed by advanced Android malware,” said Kristina Balaam, Senior Threat Researcher, Lookout. “These spyware packages are highly sophisticated and can be used to collect a wide range of data from infected devices. We urge Android users to be aware of the threat and to take steps to protect their devices, work and personal data.”

Lookout Threat Lab researchers have been actively tracking both spyware and providing coverage to Lookout Mobile Endpoint Security customers since 2020. The Lookout Security Graph leverages machine intelligence from more than 215 million devices, 190 million apps and ingests 4.5 million URLs daily. Lookout secures customers against phishing, app, device, and network threats in a manner that respects user privacy.

CIO INFLUENCE: CIO Influence Interview with Lior Yaari, CEO and Co-Founder at Grip Security

[To share your insights with us, please write to sghosh@martechseries.com]

Related posts

Bayer Commits to Veeva Vault CRM and Veeva OpenData Globally

PR Newswire

Netskope Sets New Industry Benchmarks for Cloud Security Performance; Announces Industry-First SLA to Address Encrypted Traffic Processing

CIO Influence News Desk

Ensuring High Availability in a Multi-Cloud Environment: Lessons from the CrowdStrike Outage

Dave Bermingham