www.lookout.com Open in urlscan Pro
2600:9000:225e:ea00:8:1c11:1200:93a1  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Lookout ResearchThreat GuidancesThreat DataResourcesAbout Us
Contact Us


Android
Spyware
In-Depth Analysis

December 11, 2024



LOOKOUT DISCOVERS NEW CHINESE SURVEILLANCE TOOL USED BY PUBLIC SECURITY BUREAUS

 * EagleMsgSpy is a lawful intercept surveillance tool developed by a Chinese
   software development company with use by public security bureaus in mainland
   China. 
 * Early samples indicate the surveillance tool has been operational since at
   least 2017, with development continued into late 2024.
 * The surveillanceware consists of two parts: an installer APK, and a
   surveillance client that runs headlessly on the device when installed.
 * EagleMsgSpy collects extensive data from the user: third-party chat messages,
   screen recording and screenshot capture, audio recordings, call logs, device
   contacts, SMS messages, location data, network activity.
 * Infrastructure overlap and artifacts from open command and control
   directories allow us to attribute the surveillanceware to Wuhan Chinasoft
   Token Information Technology Co., Ltd. (武汉中软通证信息技术有限公司) with high confidence.



Researchers at the Lookout Threat Lab have discovered a surveillance family,
dubbed EagleMsgSpy, used by law enforcement in China to collect extensive
information from mobile devices. Lookout has acquired several variants of the
Android-targeted tool; internal documents obtained from open directories on
attacker infrastructure also allude to the existence of an iOS component that
has not yet been uncovered.


EAGLEMSGSPY

The surveillance family has been operational since at least 2017, and appears to
require physical access to the device to initiate surveillance operations. An
installer component, which would presumably be operated by law-enforcement
officers who gained access to the unlocked device, is responsible for delivering
a headless surveillance module that remains on the device and collects extensive
sensitive data. We believe that this is the only distribution mechanism and
neither the installer nor the payload have been observed on Google Play or other
app stores.


At launch, the installer presents the user with multiple options for installing,
initiating and granting additional permissions to the surveillance module. 

‍

This installer app also suggests that this surveillance tool is likely used by
multiple customers of the software vendor, since it requires the user to input a
“channel”, which, according to documentation Lookout researchers were able to
access, corresponds to an “account”.

Lookout researchers have observed an evolution in the sophistication of the use
of obfuscation and storage of encrypted keys over time. This indicates that this
surveillanceware is an actively maintained product whose creators make
continuous efforts to protect it from discovery and analysis.

The surveillance payload collects an extensive amount of data about the victim
device:

 * Notification Listener and Accessibility Services monitor device use and
   intercept incoming messages
 * Collects all messages from QQ, Telegram, Viber, WhatsApp and WeChat
 * Initiates screen recording of the device through the Media Projection service
 * Captures screenshots
 * Captures audio recordings of the device while in use
 * Collects call logs
 * Collects device contacts
 * Collects SMS messages
 * Compiles a list of installed applications on the device
 * Retrieves GPS coordinates
 * Details wifi and network connections
 * Compiles a list of files in external storage
 * Collects bookmarks from the device browser

After data is collected, it is stored in a staging area in a hidden directory of
the file system of the device for eventual exfiltration. The data files are then
compressed and password protected before being sent to the command-and-control
(C2) server.

EagleMsgSpy C2 servers host an administrative panel requiring user
authentication, with landing pages that read “维稳研判系统” (“Stability Maintenance
Judgment System”). This administrative panel is implemented using the AngularJS
framework, with appropriately configured routing and authentication preventing
unauthorized access to the extensive admin API. However, Lookout researchers
were able to access large parts of the panel’s source code.

The source code revealed multiple functions that distinguish between device
platforms (Android vs. iOS). This implies the existence of an iOS version of
this surveillance tool though Lookout researchers have not been able to locate
it to date. 

‍


A function, getListIOS(), from /assets/js/controller/device/im.js is called
separately for devices identified with the iOS platform.

Lookout researchers were also able to uncover two documents that direct the user
to two help files: one titled “EAGLE 系统用户说明书” (Eagle System User Manual) for
using the “Eagle” admin panel, and one for installing and configuring the “MM”
EagleMsgSpy surveillance client.

‍


An introduction page summarizes the EagleMsgSpy client’s capabilities and use
cases. 

‍

The introduction to the “EAGLE 系统用户说明书” manual calls the EagleMsgSpy
surveillanceware “手机临侦” (“Mobile Phone Temporary Investigation”) and describes
it as a “comprehensive mobile phone judicial monitoring product” that can obtain
“real-time mobile phone information of suspects through network control without
the suspect’s knowledge, monitor all mobile phone activities of criminals and
summarize them”. 

The document further describes various methods for acquiring the surveillance
client and installing it to the device: through a QR code or through a physical
device that is able to install the client when connected to USB.

‍


The Eagle system manual describes this view as the "Contact Geographical
Distribution" graph, and explains in the documentation that it “shows the
geographical distribution of contacts in the phone's address book, text
messages, and call records.”

The Eagle System User Manual also documents many of the views available to
administrators through the Eagle web panel. These include distribution graphs
and heatmaps for geographical data tied to a target device’s contacts, a “Top
10” list of most frequently contacted individuals, as well as numerous views
dedicated to reviewing data collected from a compromised device. The
administrator is also able to trigger real-time photo collection from a device,
real-time screenshot collection, block incoming and outgoing calls and SMS
messages to specific phone numbers, and initiate real-time audio recording from
the device.

‍


The admin panel allows users to trigger real-time audio recordings on the
device, as demonstrated in this screenshot from the manual.

‍


ATTRIBUTING EAGLEMSGSPY

The IP address of one of the C2 servers encountered during the investigation had
previously been pointed to by several subdomains associated with a private
Chinese technology company, Wuhan Chinasoft Token Information Technology Co.,
Ltd. (武汉中软通证信息技术有限公司). The root domain, tzsafe[.]com, was encountered in
promotional materials found during an OSINT investigation into this Wuhan-based
technology company. The string tzsafe also appears in all known versions of the
MM surveillance module as part of a password used for encryption.

‍


A screenshot of the GPS analysis panel shows 2 sets of GPS coordinates for
locations near the 武汉中软通证信息技术有限公司 office.

In the aforementioned EagleMsgSpy admin user manual, a screenshot displaying
locations of target devices (presumably test devices) shows two sets of
coordinates, located ~1.5 km from the registered official business address of
Wuhan Chinasoft Token Information Technology Co., Ltd.

Business registration documents for the company list an opening date of July
14th, 2016 and a staff size of less than 50 personnel. Its listed “English
company name” is Wuhan Zhongruan Tongzheng Information Technology Co., Ltd with
a registered address at the Wuhan East Lake New Technology Development Zone
(武汉市东湖新技术开发区). In the promotional documents obtained by Lookout, the company
refers to themselves as “Wuhan ZRTZ Information Technology Co, Ltd.” with the
ZRTZ presumably referring to the acronym for the Pinyin “zhōngruǎn tōng zhèng”
(中软通证).

Based on this infrastructure overlap, open-source intelligence and references
within the source code to part of the company’s commercial domain, Lookout
researchers assess with high confidence that EagleMsgSpy was developed (and
continues to be maintained) by Wuhan Chinasoft Token Information Technology Co.,
Ltd.


CONNECTIONS TO PUBLIC SECURITY BUREAUS

Infrastructure overlap between EagleMsgSpy C2s and domains used by public
security bureaus (公安局) in mainland China indicate that the surveillance tool was
likely used by several throughout the region. Public security bureaus are
government offices that essentially act as local police stations, responsible
for social order and local policing.

‍


Public security bureaus in mainland China identified with ties to EagleMsgSpy
infrastructure.

An early EagleMsgSpy variant from 2017 specifies a hardcoded C2 address that was
the resolving IP for two Chinese government websites during the time in which
this EagleMsgSpy variant was packaged. The domains, zfga.gov[.]cn and
ytga.gov[.]cn are used for the public-facing websites of the Yantai Public
Security Bureau and its associated branches. The domain zfga.gov[.]cn refers to
the Zhifu Branch of Yantai Public Security Bureau (烟台市公安局芝罘分局 ) while
ytga.gov[.]cn refers to the main Yantai Public Security Bureau (烟台市公安局 ).
Earlier domains resolving to this IP, gyga.gov[.]cn and ykga.gov[.]cn were used
by the Gui Yang Public Security Bureau (贵阳市公安局 ) and Yantai Development Zone
Public Security Bureau (烟台开发区公安局) websites. Furthermore, an SSL certificate used
by three C2s hardcoded in EagleMsgSpy variants was also used by an IP address
that was the former resolving IP for the Dengfeng Public Security Bureau
(登封市公安局) website.


A document announcing the Shilou County Public Security Bureau’s request for the
development of a Stability Maintenance Judgement System.

CFPs for government contracts in China are often available publicly and Lookout
researchers were able to locate multiple bidding contracts for similar systems
with identical generic names to the panels used at EagleMsgSpy C2 servers from
other security bureaus were encountered. This suggests that EagleMsgSpy is just
one of many contracted mobile surveillance tools used by law enforcement
throughout mainland China.


CONNECTIONS TO OTHER CHINESE SURVEILLANCEWARE APPS

Infrastructure sharing SSL certificates with EagleMsgSpy C2 servers was also
used by known Chinese surveillance tools in earlier campaigns. The IP address
202.107.80[.]34 was used by 15 PluginPhantom samples from early 2017 to late
2020. PluginPhantom has been used in campaigns by Chinese APTs.

A sample of CarbonSteal - a surveillance tool discovered by Lookout and
attributed to Chinese APTs - was observed communicating with another IP tied to
the EagleMsgSpy SSL certificate, 119.36.193[.]210. This sample, created in July
2016, masquerades as a system application called “AutoUpdate”. 

In a 2020 threat advisory, Lookout researchers detailed CarbonSteal activity in
campaigns targeting minorities in China, including Uyghurs and Tibetans.
Significant overlap in signing certificates, infrastructure and code was
observed between CarbonSteal and other known Chinese surveillance, including
Silkbean, HenBox, DarthPusher, DoubleAgent and PluginPhantom.


CONCLUSION

EagleMsgSpy is a lawful intercept surveillance tool developed by Wuhan Chinasoft
Token Information Technology Co., Ltd. (武汉中软通证信息技术有限公司) used by public security
bureaus in mainland China. The malware is placed on victim devices and
configured through access to the unlocked victim device. Once installed, the
headless payload runs in the background, hiding its activities from the user of
the device and collects extensive data from the user. Public CFPs for similar
systems indicate that this surveillance tool or analogous systems are in use by
many public security bureaus in China.


INDICATORS OF COMPROMISE

SHA1

dab40467824ff3960476d924ada91997ddfce0b0

fef7ad2b74db3e42909c04816c66c61c61b7a8c4

ddc729ecf21dd74e51e1a2f5c8b1d2d06ed4a559

f092dfab5b1fbff38361077f87805403318badfa

d4e943ba47f762194bcf3c07be25a9f6ea5a36b0

cea796beb252d1ab7db01d8a0103f7cca5d0955d

5208039ef9efb317cc2ed7085ca98386ec31b0b4

5d935d5ab7b7c6b301a4c79807c33e0bee23e3ff

5e282b0395093c478c36eda9b4ee50c92d8cf6eb

ec580142c0dff25b43f8525f9078dd3d6a99361c

87d925a95d584e4c46545579b01713f6d74eee00

880c46bf7e65e3f9a081f42582af1f072e22cf1a

0b1d3d87a453f63129e73b2a32d95ef3eea94b4e

8ee651a90c36a98b2ab240efb64c597c21fb6f1e

f0f3e8f01a17c7d5be440dfa7ef7e5ac1f068fe5

9557eebe4ee2dc602750365e722002d9f686b7fb

29bbb04c0180e78bd6bad49719ce92ae17081a3b

01003f047caa05873ee420e29ee54d6cc8203ca6

64aca40e982836b72f156fb66b6383a0634d12cc

e6b270be7a6c3cca16ae7268f3a93c74c14b0510

caa93aa37353cab26a30e291c41fe579d3304e1a

d6d706b23caefb2822914e294452ada77710eff3

4dfcc0b99f81b66c56059a72d4e149bc5d728b87

81c572580d09231fbdc3cf4fedb2aa07be3b7769

59987ceadbd899314ffcf77958faf3b35aa064cd

89642d092adaea7ad1e5ae77dea97bbdef5839d1

6d043b4d7bc513cc6d3e308a84ed8b63e3bab4f6

‍


IP

61.136.71[.]171

149.28.21[.]203

47.112.137[.]199

59.48.241[.]214

61.163.69[.]238

59.48.241[.]22

220.168.203[.]197

218.200.20[.]254

202.107.80[.]34

124.163.212[.]149

119.36.193[.]210

101.201.213[.]210

111.21.6[.]126

‍


DOMAIN

xkong.tzsafe[.]com

www.tzsafe[.]com

qzapp.tzsafe[.]com

kong.tzsafe[.]com

i.tzsafe[.]com

git.tzsafe[.]com

es.ngrok.tzsafe[.]com

efence.demo.tzsafe[.]com

eagle.zrtsafe[.]com

eagle.tzsafe.tk

eagle.tzsafe[.]com

eagle.demo.tzsafe[.]com

bug.tzsafe[.]com

‍




AUTHORS




KRISTINA BALAAM


Staff Security Intelligence Engineer


Kristina is a Staff Security Intelligence Engineer at Lookout where she reverse
engineers mobile malware. Prior to Lookout, she worked as an Application
Security Engineer at Shopify focusing mostly on Android mobile security.
Kristina graduated with a Bachelor of Computer Science from McGill University in
2012, and is currently pursuing a MSc. in Information Security Engineering from
the SANS Institute of Technology. She blogs about computer security on
Instagram, Twitter and Youtube under the handle @chmodxx.”

Platform(s) Affected
Android
Threat Type
Spyware
Entry Type
In-Depth Analysis
Platform(s) Affected
Android
Spyware
In-Depth Analysis




RELATED CONTENT





LOOKOUT DISCOVERS TWO RUSSIAN ANDROID SPYWARE FAMILIES FROM GAMAREDON APT



Researchers at the Lookout Threat Lab have discovered two Android surveillance
families dubbed BoneSpy and PlainGnome attributed to Russian cyber espionage
group Gamaredon


Read Threat Article



LOOKOUT DISCOVERS NEW CHINESE SURVEILLANCE TOOL USED BY PUBLIC SECURITY BUREAUS



Lookout researchers have discovered a new Chinese surveillance family used by
Chinese law enforcement to collect extensive information from mobile devices.


Read Threat Article



CHROME & FIREFOX VULNERABILTIES



Google and Mozilla have both recently disclosed critical vulnerabilities in
their respective Chrome and Firefox web browsers.


Read Threat Article



IDENTIFY AND PREVENT THREATS WITH LOOKOUT THREAT ADVISORY


STOP CYBERATTACKS BEFORE THEY START WITH INDUSTRY-LEADING THREAT INTELLIGENCE.



Lookout Threat Advisory offers advanced mobile threat intelligence, leveraging
millions of devices in our global network and top security research insights to
protect your organization.


Learn More Today

Schedule Demo
LegalPrivacy PolicyCookie PolicyTransparency Report
Do not sell or share my personal information
Compliance InfoCompliance Info (Gov)Sitemap

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield
Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered
trademarks of Lookout, Inc. in the United States and other countries. DAY OF
SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered
trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common
law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and
the 4 Bar Shield Design.
Lookout Cloud Security
Cloud SecurityLookout Secure Cloud AccessLookout Secure Internet AccessLookout
Secure Private Access


Lookout Endpoint Security
Endpoint SecurityLookout Mobile Endpoint SecurityLookout Threat Intelligence
Solutions
Zero Trust SecurityVPN AlternativesMobile Device SecurityData ComplianceCloud
Data ProtectionAdvanced Threat Protection
Industries
HealthcareEducationFederal GovernmentState & Local GovernmentFinancial
ServicesManufacturing
Support
Enterprise Support LoginEnterprise Support ProgramsProduct Documentation

Contact Us
How to Reach Us

(844) 371-5665

HeaderHeaderHeaderHeaderCellCellCellCellCellCellCellCellCellCellCellCellCellCellCellCell