GoldenEagle Description

GoldenEagle is an Android Trojan that was first discovered by security analysts in 2012. The GoldenEagle threat appears to have remained active over the years as its creators have introduced multiple updates to this malware.

The early variants of the GoldenEagle malware were not very advanced – the exfiltration method was rather simplistic. The first copies of the GoldenEagle threat would use SMTP protocols to steal data by sending emails to the inbox of the malware's developers. The emails in question would contain information regarding the victim's activity and the hardware and software of the compromised host. However, in more recent variants of the GoldenEagle malware, the authors of the threat have introduced new exfiltration techniques. Instead of relying on SMTP protocols, the GoldenEagle malware would use the HTTP protocol. This would allow the GoldenEagle threat to exfiltrate more data.

Despite the fact that the GoldenEagle malware has been around since 2012, this Android threat has not spread worldwide. Instead, the activity of the GoldenEagle threat appears to be mainly concentrated in the Chinese region. Furthermore, the operators of the GoldenEagle go after specific demographics – Tibetan activists and members of the Uyghur community in China.

To distribute this nasty threat, the operators of the GoldenEagle malware appear to utilize various bogus applications. In the case of the Uyghur targets, the GoldenEagle threat was delivered via news applications, keyboard layouts, flight and travel tools and social media applications, Quran-related utilities, etc. In the case of the Tibetan victims, the GoldenEagle malware was spread with the help of Trojanized copies of the 'Beautiful Featured Tibet Wallpaper,' 'Quick Search Tibet' and 'Travel Notes in Tibet' applications.

When the GoldenEagle malware compromises a targeted device, it will allow its creators to:

  • Use the device's microphone to record calls or environmental audio.
  • Use the device's GPS sensor to obtain details about the victim's location.
  • Use both the device's front and back camera to take photos.
  • Take screenshots of the device's screen.
  • Obtain the contacts list of the victim.
  • Obtain a list of the applications installed on the device.
  • Obtain files, which are related to popular instant messaging applications.

Some of the latest copies of the GoldenEagle malware appear to be rather similar to another threat targeting Android device called CarbonSteal. Both strains of malware target the same demographics. This is what made security researchers to believe that the creators of the GoldenEagle and CarbonSteal threats are either the same individuals or cooperating hacking groups. Protect your Android device by using a modern antivirus utility compatible with your OS.