The Chinese hacking group tracked as APT41 targets Android devices with two newly identified spyware strains, WyrmSpy and DragonEgg.
The Chinese hacking group tracked as APT41 targets Android devices with two newly identified spyware strains, WyrmSpy and DragonEgg.
According to Lookout, threat actors like APT 41 exploit web-based applications, infiltrate traditional endpoint devices, and include mobile in their malware arsenal.
In the past, APT41 has targeted various industries in the US, Asia, and Europe. Many industries, including software development and hardware manufacturing, think tanks, telcos, universities, and foreign governments, have been targeted by cyber-espionage operations conducted by these organisations.
The group has been tracked under various names by multiple cybersecurity companies. Kaspersky has been monitoring their activity since 2012 as Winnti to identify the malware employed in their attacks. Similarly, Mandiant has been tracking them since 2014 and noticed their activities overlapped with other known Chinese hacking groups like BARIUM.
APT41, also referred to as Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, has been operating since 2007, targeting a wide range of industries.
The Lookout reported this week that APT41 compromises both government organisations for espionage and private businesses for financial gain, unlike many nation-state-backed APT groups.
APT41 hackers target Android devices with WyrmSpy and DragonEgg spyware strains, vulnerable web apps, and Internet-exposed endpoints. WyrmSpy was first identified by Lookout in 2017 and DragonEgg in early 2021, with the latest example in April 2023.
In addition, both malware strains share an overlapping Android signature, indicating a single attacker is responsible for them. When Lookout found a command-and-control (C2) server with an IP address 121.42.149[.]52 that resolved to the domain vpn2.umisen[.]com in the malware's source code, a link to APT41 was discovered. Based on the Department of Justice's September 2020 indictment, the server was part of APT41's attack infrastructure from May 2014 to August 2020.
Researchers have not yet encountered samples in the wild and assess with moderate confidence that they are distributed to victims through social engineering campaigns. Google confirmed that based on current detection, no apps containing this malware are found on Google Play, Lookout said.
According to Lookout, APT41's interest in Android devices indicates that mobile endpoints are valuable targets with coveted data.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.