Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Security researchers have discovered a new surveillance tool they say is being used by Chinese law enforcement agencies to collect sensitive data from Android devices in China.
The tool called “EagleMsgSpy” was discovered by researchers from the US cyber security firm “Lookout”. The company said at the Black Hat Europe conference on Wednesday that it has obtained several variants of the spyware that have been in operation “since at least 2017.”
Kristina Balaam, senior intelligence researcher at Lookout, told TechCrunch that the spyware was used by “many” public security bureaus in mainland China to collect “extensive” data from mobile devices. This includes call logs, contacts, GPS coordinates, bookmarks and messages from third-party apps including Telegram and WhatsApp. According to research Lookout shared with TechCrunch, EagleMsgSpy is also capable of initiating screen recordings on smartphones and can record audio of the device during use.
The manual, obtained by Lookout, describes the software as a “comprehensive cell phone forensic monitoring product” that can “obtain suspects’ cell phone data in real-time through network surveillance without the suspect’s knowledge, and track and summarize all cell phone activities of criminals.”
Balaam said he has “high confidence” that EagleMsgSpy was developed by Wuhan Chinasoft Token Information Technology, a private Chinese technology company, thanks to infrastructure overlap. The tool’s infrastructure also reveals the developer’s ties to mainland China’s public security bureaus — government departments that essentially act as local police stations, he said.
It is not yet known how many or who were targeted by EagleMsgSpy. Balaam said the tool was likely used for internal surveillance, but noted that “anyone traveling to the area could be at risk.”
“I think if it’s just an internal control, they’d build their infrastructure somewhere that we can’t get from North America,” Balaam said. “I think it gives us some insight into what people hope they can track if they leave, whether they’re Chinese citizens or not.”
Lookout said it also observed two IP addresses used by other China-linked surveillance tools linked to EagleMsgSpy. Carbon theftit has been used to target Tibetan and Uyghur communities in previous campaigns.
Lookout notes that EagleMsgSpy currently requires physical access to the target device. However, Balaam told TechCrunch that the tool is still in development as late as 2024, and it’s “entirely possible” that EagleMsgSpy could be modified to not require physical access.
Lookout noted that internal documents it obtained point to the existence of an as yet undiscovered iOS version of the spyware.
