Chinese Threat Group APT41 Linked To Android Malware Attacks

Security researchers say a Chinese state-sponsored espionage group is using WyrmSpy and DragonEgg surveillance malware to target Android mobile devices.

See Also: Strengthening Critical Infrastructure Security

Researchers at cybersecurity company Lookout said APT41, also tracked as BARIUM, Earth Baku and Winnti, primarily relies on web application attacks and software vulnerabilities and uses WyrmSpy and DragonEgg to target organizations globally.

The company said APT41 recently switched tactics to develop malware specific to the Android operating system, relying on existing command-and-control infrastructure, IP addresses and domains to communicate with and issue commands to the two malware variants.

APT41 historically exploited specific web applications and software vulnerabilities to carry out surveillance on pre-defined target organizations. According to Mandiant, the group in May 2021 exploited a zero-day vulnerability in the USAHerds application and several vulnerable Internet-facing web applications to successfully compromise at least six U.S. state government networks.

Research by Recorded Future’s Insikt Group also revealed that the cyberespionage group, along with the Tonto Team, targeted four regional despatch centers responsible for operating India’s power grid shortly after India and China engaged in border clashes, which resulted in combat-related casualties for the first time in 45 years.

Android Malware Historically Not On APT41’s Playbook

According to Lookout, APT41 likely used social engineering to distribute WyrmSpy and DragonEgg surveillance malware to Android devices, often by disguising the former as a default Android system application and the latter as third-party Android keyboards and messaging applications such as Telegram.

It is unclear whether the two malware types were distributed via Google Play…