Jakarta, INTI – In a striking revelation, cybersecurity researchers have uncovered a highly sophisticated surveillance program allegedly used by Chinese law enforcement agencies. Dubbed EagleMsgSpy by the research team at Lookout, this tool has been operational since at least 2017 and is designed to siphon a wide array of sensitive information from mobile devices without the user’s knowledge.
The tool's capabilities include intercepting chat messages, recording screens, capturing screenshots, and even monitoring GPS locations in real time. Its latest sample was discovered on the malware scanning platform VirusTotal as recently as September 25, 2024, signaling its continued use and active maintenance.
This revelation underscores the growing risks of digital surveillance and raises concerns about the misuse of advanced technologies to infringe on privacy rights globally.
Unpacking EagleMsgSpy: A Surveillance Powerhouse
EagleMsgSpy operates as a two-part system: an APK installer file and a surveillance client. Once installed, the client runs discreetly in the background, silently collecting data from the device. According to Kristina Balaam, Senior Staff Threat Intelligence Researcher at Lookout, the tool’s design is a testament to its developers’ focus on comprehensive monitoring.
"This surveillanceware collects a wealth of data from users," Balaam stated. "It includes third-party chat messages, screen recordings, screenshots, audio recordings, call logs, device contacts, SMS messages, location data, and network activity."
Notably, EagleMsgSpy has been described in internal documentation as a “judicial monitoring product.” This description suggests that the tool is marketed to law enforcement agencies for tracking and gathering information on individuals under investigation. The tool’s capabilities extend to monitoring apps like QQ, Telegram, Viber, WhatsApp, and WeChat, and extracting browser bookmarks, external storage files, and a complete list of installed applications.
The data collected is compressed into password-protected archives and sent to a command-and-control (C2) server, where it can be accessed and analyzed by authorized users.
Links to Wuhan-Based Developers
The surveillance program has been attributed to Wuhan Chinasoft Token Information Technology Co., Ltd., also known as Wuhan ZRTZ Information Technology Co., Ltd. This connection was established through overlapping infrastructure and references within the source code.
Lookout's investigation also uncovered internal company documents stored in open directories. These documents suggest the possibility of an iOS variant of EagleMsgSpy, although no concrete samples have been found in the wild.
One key piece of evidence tying EagleMsgSpy to Wuhan is a hardcoded phone number with a Wuhan area code found in multiple samples of the malware. This link strengthens suspicions that the company behind the tool is based in China and actively collaborates with local law enforcement.
How EagleMsgSpy Operates
EagleMsgSpy’s deployment requires physical access to the target device, making its use somewhat limited but no less concerning. Once access is gained, the tool is installed via an APK module that delivers the core surveillance payload, often referred to as "MM" or "eagle_mm."
The installation process can involve several methods, including scanning QR codes or using a physical device connected via USB to inject the malware. Once installed, the tool operates covertly in the background, hiding its activities from the device owner while continuously gathering data.
Communication between the surveillance client and the C2 server is facilitated through WebSockets using the STOMP protocol. This allows the tool to send status updates and receive instructions in real time, ensuring that the data collection process remains dynamic and responsive to operational needs.
Advanced Obfuscation Techniques
Early versions of EagleMsgSpy used minimal obfuscation, making them relatively easy to detect and analyze. However, more recent iterations have adopted advanced techniques, including the use of ApkToolPlus, an open-source application protection tool, to conceal critical portions of the code.
The administrative panel for the C2 server, implemented using the AngularJS framework, includes robust authentication and routing mechanisms, preventing unauthorized access. This panel also includes functions to distinguish between Android and iOS devices, further suggesting that the tool’s developers are actively exploring cross-platform compatibility.
Implications for Global Privacy and Security
The discovery of EagleMsgSpy highlights a worrying trend in the misuse of technology for mass surveillance. While marketed as a tool for lawful enforcement, its covert nature raises serious ethical and legal questions.
Lookout’s investigation found that public security bureaus across China may be using this or similar tools. The administrative panel allows customers—likely law enforcement agencies—to trigger real-time data collection from infected devices.
The involvement of Wuhan ZRTZ Information Technology Co., Ltd. is further corroborated by patent applications filed by the company. These patents detail methods for collecting data from devices and generating relationship diagrams based on the collected information, such as identifying connections between a suspect and their associates.
A Broader Pattern of Surveillance
EagleMsgSpy is not an isolated case. Lookout also linked its infrastructure to other China-associated surveillance tools like PluginPhantom and CarbonSteal, which have previously targeted Tibetan and Uyghur communities.
These tools, often installed through access to unlocked victim devices, operate in the background to gather extensive data. The data is then processed server-side, although the specifics of this processing remain unclear.
Protecting Against Advanced Threats
For users worldwide, the existence of tools like EagleMsgSpy serves as a stark reminder of the importance of digital security. Basic precautions, such as avoiding suspicious QR codes, restricting physical access to devices, and regularly updating software, are essential defenses against such threats.
Cybersecurity experts also emphasize the need for stronger collaboration between governments, technology companies, and international organizations to address the growing misuse of surveillance technologies.
The Road Ahead
As technology continues to evolve, so too do the methods used by threat actors to exploit it. The discovery of EagleMsgSpy underscores the urgent need for robust privacy regulations and heightened awareness of digital security risks.
In this age of pervasive surveillance, protecting personal data is no longer a luxury—it is a necessity. Governments, corporations, and individuals must work together to ensure that technological advancements serve humanity without compromising its fundamental rights.