July 19, 2023

Lookout Discovers Advanced Android Surveillanceware Attributed to China’s APT41

An established threat actor like APT41 turning its focus to mobile devices shows how mobile endpoints are high-value targets with coveted work and personal data

BOSTON, July 19, 2023 – Lookout, Inc., the endpoint-to-cloud security company, today announced the discovery of two new advanced Android surveillanceware instances, WyrmSpy and DragonEgg, attributed to the high-profile Chinese threat group APT41. Despite being indicted on multiple charges by the U.S. government for its attacks on more than 100 private and public enterprises in the U.S. and around the world, APT41’s tactics have evolved to include mobile devices. Customers of Lookout Mobile Endpoint Security are protected from these threats.

APT41, also known as Double Dragon, BARIUM and Winnti, is a state-sponsored espionage group that has been active since 2012. In August 2019 and August 2020, five of its hackers were charged by a federal grand jury in Washington, D.C. for a computer intrusion campaign that impacted dozens of companies in the United States and abroad, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, foreign governments and pro-democracy politicians and activists in Hong Kong. 

Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT41 including mobile in its arsenal of malware shows how mobile endpoints are high-value targets with coveted corporate and personal data. 

Threat discovery highlights:

  • Both WyrmSpy and DragonEgg have sophisticated data collection and exfiltration capabilities, and Lookout researchers believe they are distributed to victims through social engineering campaigns.  
  • Both use modules to hide their malicious intentions and avoid detection. 
  • WyrmSpy, which is capable of collecting a wide range of data from infected devices including log files, photos, device location, SMS messages and audio recordings,  primarily masquerades as a default Android system app used for displaying notifications to the user. Later variants also package the malware into apps masquerading as adult video content, “Baidu Waimai” food delivery platform and Adobe Flash. 
  • DragonEgg has been observed in apps purporting to be third-party Android keyboards and messaging applications such as Telegram. 

To protect your business and personal Android devices from WyrmSpy and DragonEgg, Lookout recommends the following:

  • Keep your device’s software up to date.
  • Only install apps from trusted sources and only download them from the Google Play Store.
  • Be careful about what permissions you grant apps.
  • Use a mobile security solution like Lookout.

“The discovery of WyrmSpy and DragonEgg is a reminder of the growing threat posed by advanced Android malware,” said Kristina Balaam, Senior Threat Researcher, Lookout. “These spyware packages are highly sophisticated and can be used to collect a wide range of data from infected devices. We urge Android users to be aware of the threat and to take steps to protect their devices, work and personal data.”

Lookout Threat Lab researchers have been actively tracking both spyware and providing coverage to Lookout Mobile Endpoint Security customers since 2020. The Lookout Security Graph leverages machine intelligence from more than 215 million devices, 190 million apps and ingests 4.5 million URLs daily. Lookout secures customers against phishing, app, device, and network threats in a manner that respects user privacy.

To learn more about WyrmSpy and DragonEgg, read the Lookout Threat Lab blog.

Additional Resources:

About Lookout

Lookout, Inc. is the endpoint-to-cloud cybersecurity company that delivers zero trust security by reducing risk and protecting data wherever it goes, without boundaries or limits. Our unified, cloud-native platform safeguards digital information across devices, apps, networks and clouds and is as fluid and flexible as the modern digital world. Lookout is trusted by enterprises and government agencies of all sizes to protect the sensitive data they care about most, enabling them to work and connect freely and safely. To learn more about the Lookout Cloud Security Platform, visit www.lookout.com and follow Lookout on our blog, LinkedIn and Twitter.

Contact Lookout PR: press@lookout.com 

© 2023 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, and LOOKOUT with Shield Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, the 4 Bar Shield Design, and the Lookout multi-color/multi-shaded Wingspan design.


Sign-up for the latest Lookout news and threat research

By subscribing you agree with our Privacy Policy
Follow on