WyrmSpy Mobile Malware

The prolific China-backed nation-state actor, APT41, has recently been linked to the discovery of two previously undocumented strains of Android spyware known as WyrmSpy and DragonEgg. APT41 is renowned for its expertise in exploiting web-facing applications and infiltrating traditional endpoint devices.

By expanding its arsenal of malware to include mobile devices, APT 41 clearly demonstrates the significance of mobile endpoints as high-value targets housing coveted corporate and personal data. This highlights the increasing importance of securing mobile devices against sophisticated threats posed by established threat actors like APT 41.

WyrmSpy May Have Been Used by Cybercriminals for Years

The cybercrime outfit APT41, also recognized by various names such as Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, has been operating since at least 2007, displaying a persistent presence in the cyber landscape. This sophisticated threat actor has been targeting various industries with the aim of conducting intellectual property and sensitive information.

In recent times, APT41 has been responsible for launching attacks employing an open-source red teaming tool called Google Command and Control (GC2). These attacks were specifically directed at media and job platforms in Taiwan and Italy, demonstrating the collective's ever-evolving tactics and targets.

As for their mobile surveillanceware campaign, the exact method of initial intrusion remains undisclosed, but there are suspicions of the use of social engineering techniques. WyrmSpy was first detected as early as 2017, indicating the group's prolonged and continued activities in the mobile realm. Subsequently, DragonEgg was identified at the beginning of 2021, and new samples of this malware were observed as recently as April 2023, emphasizing the ongoing threat posed by APT41.

The Threatening Capabilities Found in the WyrmSpy Android Malware

WyrmSpy employs deceptive tactics by disguising itself as a default system application responsible for displaying user notifications. In later variations, the malware has been embedded into applications posing as adult video content, Baidu Waimai and Adobe Flash. Notably, there is no evidence to suggest that these rogue apps were ever distributed through the official Google Play Store. The exact number of victims targeted by WyrmSpy remains unknown.

The connection between WyrmSpy and APT41 becomes apparent through its utilization of a Command-and-Control (C2) server with the IP address 121[.]42[.]149[.]52. This IP address corresponds to the domain 'vpn2.umisen[.]com' that has been previously associated with the infrastructure of the APT41 group.

Once successfully installed, WyrmSpy requests intrusive permissions, allowing the threat to execute sophisticated data collection and exfiltration activities on the compromised Android device. The malware is capable of harvesting sensitive user information, including photos, location data, SMS messages, and audio recordings.

WyrmSpy also has demonstrated its adaptability by utilizing modules that are downloaded from a C2 server. This approach allows the malware to enhance its data collection capabilities while evading detection.

Additionally, WyrmSpy displays advanced functionalities, as it can disable Security-Enhanced Linux (SELinux), a security feature within the Android operating system. Furthermore, it exploits rooting tools like KingRoot11 to gain elevated privileges on compromised mobile devices.