Full Report
The researchers said development of the EagleMsgSpy tool has continued throughout 2024, with the company behind it adding new capabilities and obfuscation features.
Analysis Summary
# Threat Actor: EagleMsgSpy Developer/Operator (Implied Chinese State/Law Enforcement)
## Attribution & Identity
The spyware tool, EagleMsgSpy, is being used by multiple province-level security bureaus in China, which function as local police stations/law enforcement. The development of the tool is attributed to **Wuhan Chinasoft Token Information Technology**. There are potential connections noted between the developers and **Topsec**.
## Activity Summary
EagleMsgSpy has been in use by Chinese public security bureaus since at least 2017, with development continuing through 2024, adding new obfuscation and capabilities. It is used for widespread surveillance of targets. The tool has shared infrastructure connections or operational overlap with other surveillance tools like **PluginPhantom** and **CarbonSteal**, which have targeted minorities (Uyghurs and Tibetans) in China.
## Tactics, Techniques & Procedures
- Extensive data collection from Android mobile devices.
- Collection of encrypted messages (Telegram, WhatsApp, WeChat, QQ, Viber).
- Real-time audio recording initiation.
- Real-time screenshot collection.
- Real-time photo collection initiation.
- Call and SMS blocking capabilities (inbound/outbound).
- Data stages: collection in a staging area, subsequent compression, and exfiltration to an external server.
- Installation methods observed: USB plug-in or via a QR code (implying potential physical access requirement).
- File naming uses bland, non-suspicious designations.
## Targeting
- Sectors: Law Enforcement (as users); General population/individuals under surveillance (as victims).
- Geography: China (users are Chinese Public Security Bureaus).
- Victims: Undisclosed individuals whose mobile devices (primarily Android, potential Apple version) are targeted for extensive data harvesting.
## Tools & Infrastructure
- Malware families used: **EagleMsgSpy** (Surveillanceware). Overlap/shared infrastructure with **PluginPhantom** and **CarbonSteal**.
- Infrastructure (C2, domains, IPs): Infrastructure points toward use by multiple public security bureaus across China. Specific domains/IPs were not detailed in the summary context.
## Implications
The existence and sustained use of EagleMsgSpy by Chinese law enforcement indicates a significant, domestically focused surveillance apparatus utilizing powerful, commercially (or state-deployed) contracted mobile spyware. The extensive data collection capabilities (including encrypted communications) pose a high threat to privacy and security for targeted individuals within China. The tool's connection to broader surveillance efforts targeting specific minority groups heightens concerns regarding systemic state monitoring.
## Mitigations
- Defenses should focus on preventing unauthorized physical access required for installation (e.g., securing devices against USB insertion if applicable).
- Implementing security solutions capable of detecting advanced mobile surveillance/spyware focusing on deep system monitoring and call/SMS interception, especially in high-risk environments.
- User awareness regarding suspicious QR codes or software installation methods not from official application stores.