EagleMsgSpy is a Chinese-made surveillance tool used by Chinese authorities since at least 2017. It's still being actively developed.
EagleMsgSpy is a Chinese-made surveillance tool used by Chinese authorities since at least 2017. It's still being actively developed. This spyware, installed via an APK file, operates secretly on targeted devices to gather sensitive information.
The tool was uncovered by Lookout’s research group, which also recently discovered two Android spyware families, BoneSpy and PlainGnome, attributed to the Russian Gamaredon (Primitive Bear, Shuckworm) APT group, believed to have ties to Russian intelligence services.
The Eagle MsgSpy payload gathers an alarming amount of sensitive data from infected devices, showcasing its broad surveillance capabilities. It intercepts notifications and messages, records conversations from popular apps like WhatsApp and WeChat, and captures screenshots and screen recordings. The spyware logs call histories, contacts, and SMS messages while tracking GPS locations and network details. It can also compile a list of external storage files, browser bookmarks and installed apps. This level of invasive monitoring paints a troubling picture of the tool’s functionality and intent.
The Eagle manual calls this the "Contact Geographical Distribution" graph, showing the geographical spread of contacts in the address book, messages, and call records. (Source: Lookout
Lookout researchers discovered that Eagle MsgSpy requires physical access to devices for installation, with law enforcement likely deploying the tool manually on unlocked devices. The spyware hasn’t been found on any app stores which suggests that this is the only mode of deployment, made available to a few individuals.
Its deployment requires users to input a “channel,” indicating it may be used by multiple operators. The spyware's evolving obfuscation and encrypted key storage show signs of it being an actively maintained product. The source code indicates that the spyware can distinguish and target both Android and iOS devices. While the iOS version hasn't been publicly identified yet, the code's structure suggests its existence.
Attack Sequence of Eagle MsgSpy
- Initially, physical access to the target device for installation is required via an APK file delivered by law enforcement.
- Eagle MsgSpy runs without a visible interface once it is installed, operating covertly to collect sensitive data.
- Collected data is stored in a hidden directory on the device for later exfiltration.
- Files are compressed and password-protected before being sent to a command-and-control (C2) server.
- C2 servers host an admin panel with user authentication, labeled as “Stability Maintenance Judgment System,” allowing administrators to manage and review collected data.
- Administrators can initiate real-time activities including photo collection, screenshots, audio recording, and blocking communications.
Public security bureaus in mainland China linked to EagleMsgSpy infrastructure. (Source: Lookout)
In their report, Lookout shows that the C2 servers associated with the spyware have ties to a Chinese tech company, Wuhan Chinasoft Token Information Technology, and government websites like the Yantai and Dengfeng Public Security Bureaus.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.