New Chinese Spyware Poses Risk to Android Users

Security researchers have revealed that Chinese government authorities are using a new surveillance tool to steal private data from Android devices in the country.

The researchers at the American cybersecurity company Lookout found the tool, which they called “EagleMsgSpy.” At Wednesday’s Black Hat Europe conference, the business announced that it had obtained many strains of the malware, which it claims has been active since “at least 2017.”

Lookout senior intelligence analyst Kristina Balaam said that “many” mainland Chinese public security departments had used the malware to gather “extensive” data from mobile devices. All of your contacts, phone history, location data, bookmarks, and messages from apps like WhatsApp and Telegram are part of this. EagleMsgSpy can record audio from cellphones as they are in use and can even start recording the screen, according to research.

EagleMsgSpy Exposed as Chinese Mobile Surveillance Tool

It is described in the app’s manual as a “comprehensive mobile phone judicial monitoring product” that can gather “real-time mobile phone information of suspects through network control without the suspect’s knowledge, monitor all mobile phone activities of criminals, and summarise them,” according to Lookout’s reading of the manual.

According to Balaam, a private Chinese IT firm named Wuhan Chinasoft Token Information Technology built EagleMsgSpy because there is infrastructure overlap. She says she has “high confidence” in this assessment. She further claimed that the tool’s architecture exposed the developer’s ties to mainland China’s public security bureaus, which are effectively local police stations.

EagleMsgSpy has not yet revealed how many people it has targeted. “Anybody traveling to the region could be at risk,” Balaam warns, adding that the gadget is probably being used mostly for domestic monitoring.

“I think if it was just about domestic surveillance, they would stand up their infrastructure in some place that we couldn’t access from North America,” Balaam said. “I think it gives us a bit of insight into the fact that they’re hoping to be able to track people if they leave, whether they are Chinese citizens, or not.”

According to Lookout, it also found two IP addresses associated with EagleMsgSpy. These addresses have been linked with other Chinese surveillance programs including CarbonSteal, which has been used in past campaigns to target the Uyghur and Tibetan populations.

At this time, EagleMsgSpy cannot be used without physically accessing the target device, as pointed out by Lookout. According to Balaam, the tool was still being worked on as late as 2024, and it “is entirely possible” that EagleMsgSpy could be changed so that it doesn’t need physical access.

There may be an iOS version of the spyware that hasn’t been found yet, according to internal papers that Lookout looked at.