The Chinese state-backed hacking group APT41 is targeting Android devices with two newly discovered strains of spyware, dubbed WyrmSpy and DragonEgg by security researchers Lookout.

APT41 is one of the oldest state hacking groups with a history of targeting various industries in the United States, Asia, and Europe.

They are known to carry out cyber espionage operations against entities in various industrial sectors, including software development, hardware manufacturing, think tanks, telecom operators, universities and foreign governments.

The group has been tracked under different names by several cybersecurity companies. Kaspersky followed their activity since 2012 under the name Winnti to identify the malware used in their attacks.

In the same way, Mandiant also follows them since 2014 and noticed that their activities overlapped with other known Chinese hacking groups like BARIUM.

The United States Department of Justice accused five Chinese nationals linked to APT41 in September 2020 for their involvement in cyberattacks against more than 100 companies.

“Unlike many nation-state-backed APT groups, APT41 has a history of compromising both government organizations for espionage purposes, as well as different private companies for financial gain,” Lookout said in a report published this week.

Android spy software link

While APT41 hackers typically penetrate their targets’ networks through vulnerable web applications and Internet-exposed endpoints, Lookout says the group also targets Android devices with the WyrmSpy and DragonEgg spyware strains.

Lookout first identified WyrmSpy in 2017 and DragonEgg in early 2021, with the most recent example dating back to April 2023.

Both strains of Android malware have extensive data collection and exfiltration capabilities enabled on compromised Android devices after secondary payloads are deployed.

While WyrmSpy disguises itself as the default operating system app, DragonEgg is camouflaged as third-party keyboard or messaging apps, using these guises to evade detection.

The two malware strains also share overlapping Android signing certificates, reinforcing their connection to a single threat actor.

Lookout discovered their link to APT41 after finding a command and control (C2) server with 121.42.149[.]52 IP address (resolve the vpn2.umisen[.]com and hard-coded into the malware source code).

The server was part of APT41’s attack infrastructure between May 2014 and August 2020, as revealed by the US Department of Justice. September 2020 indictment.

“Lookout researchers have not yet encountered any samples in the wild and assess with moderate confidence that they are distributed to victims through social engineering campaigns. Google has confirmed that based on current detection, no apps containing this malware are found on Google Play,” Lookout said.

However, APT41’s focus on Android devices “shows that mobile devices are high-value targets with coveted data.”