EAGLEMSGSPY, a Chinese surveillanceware used by the police to collect data from mobile devices, has been uncovered by Lookout Threat Lab researchers. The program, which has been operating since 2017, focuses on Android devices but also has indications of an iOS version that has not been found yet. It requires physical access to the installation device and is distributed exclusively through physical access, as it is not found in Google Play or other app stores.
Once launched, the spyware allows for the interception of messages, data collection from messaging apps like QQ, Telegram, WhatsApp, and WeChat, screen recording, audio recording, access to call logs, contacts, SMS, GPS coordinates, and installed applications. It also analyzes network connections, external storage, and collects browser bookmarks. The collected information is stored in a hidden directory, compressed, and password-protected before being sent to a control server.
For remote control of the spy program, an administrator panel called Stability Maintenance Judgment System is used. Administrators can collect photos and screenshots in real-time, block calls and messages, record sound, and analyze data like the geographical distribution of contacts and communication frequency.
Lookout researchers have linked the EagleMSGSPY servers’ infrastructure to the Chinese company Wuhan Chinasoft Token Information Technology, which is connected to state structures like local public security departments in China. The program’s infrastructure overlaps with other Chinese espionage programs like Pluginphantom and Carbonsteal, previously used against ethnic minorities in China.