Threat Intelligence researchers at Lookout Threat Lab have uncovered EagleMsgSpy, a sophisticated surveillance tool developed by Wuhan Chinasoft Token Information Technology Co., Ltd. and used by Chinese law enforcement agencies.
The tool, operational since 2017, with development continuing into late 2024, represents a significant advancement in mobile device monitoring capabilities.
According to the Lookout blog post, EagleMsgSpy consists of two main components-
- An installer APK
- A headless surveillance client.
The tool requires physical access to an unlocked device for installation, indicating its intended use in law enforcement operations. Once installed, the surveillance module operates invisibly in the background, collecting extensive data, including chat messages from popular apps like WeChat and Telegram, screen recordings, screenshots, audio recordings, call logs, contacts, SMS messages, and GPS coordinates.
EagleMsgSpy has been described by its developers as a "comprehensive mobile phone judicial monitoring product" that can obtain "real-time mobile phone information of suspects through network control without the suspect's knowledge, monitor all mobile phone activities of criminals, and summarize them."
It's also equipped to gather call logs, contact lists, GPS coordinates, network and Wi-Fi connection details, external storage files, bookmarks from the device browser, and a list of installed applications on the devices. The amassed data is compressed into password-protected archive files and exfiltrated to a command-and-control (C2) server.
The surveillance system employs increasingly sophisticated techniques, with recent versions utilizing ApkToolPlus for code obfuscation. The tool communicates with command-and-control servers through WebSockets using the STOMP protocol, and its administrative panel is built on the AngularJS framework with robust security measures.
Particularly noteworthy is the discovery of code references suggesting the existence of an iOS version, though researchers have yet to locate it.
The investigation also revealed infrastructure overlap with other Chinese surveillance tools, including PluginPhantom and CarbonSteal, which have been previously linked to surveillance campaigns targeting minority communities.
Patent applications filed by the company detail methods for creating relationship diagrams between surveillance targets and analyzing various types of mobile data. Multiple public security bureaus across China appear to be using the tool, as evidenced by infrastructure connections and government procurement documents, suggesting its widespread adoption in law enforcement operations.
Infrastructure analysis showed connections between EagleMsgSpy's command-and-control servers and several Chinese public security bureaus, including those in Yantai, Guiyang, and Dengfeng.
The researchers found multiple government procurement contracts requesting similar surveillance systems, indicating widespread adoption across Chinese law enforcement agencies.
The tool shares infrastructure with other known Chinese surveillance applications, including PluginPhantom and CarbonSteal, which have been previously linked to campaigns targeting minority groups in China.
The discovery of EagleMsgSpy provides new insights into the evolving landscape of mobile surveillance technology and its deployment by law enforcement agencies.