Wyrmspy and DragonEgg

New WyrmSpy and DragonEgg Spyware Targeting Mobile Devices

2 Mins Read

PureVPNNewsNew WyrmSpy and DragonEgg Spyware Targeting Mobile Devices

A highly active Chinese-linked hacking group known as APT41 has been connected to two previously unknown types of Android spyware named WyrmSpy and DragonEgg.

The FBI notice poster with images of the individuals charged in connection to APT41’s cyber espionage activities.

According to a report by Lookout, APT41, also called Axiom, Blackfly, Brass Typhoon (previously Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, has been operational since at least 2007. 

The group is known for targeting various industries to steal intellectual property. Now, it has added mobile devices to its list of high-value targets alongside web-facing applications and traditional endpoints.

Recent attacks by APT41 involved using an open-source red teaming tool called Google Command and Control (GC2) to target media and job platforms in Taiwan and Italy.

Modus Operandi of attack

The exact method used to infiltrate mobile devices with spyware is not clear, but social engineering is suspected. Lookout first detected WyrmSpy in 2017 and DragonEgg in early 2021, with new samples of DragonEgg identified as recently as April 2023.

  • WyrmSpy initially disguises itself as a default system app for displaying notifications, but later versions pretend to be adult video content, Baidu Waimai, or Adobe Flash.
  • DragonEgg, on the other hand, has been distributed as third-party Android keyboards and messaging apps, such as Telegram.

“There’s no evidence that these malicious apps were distributed through the official Google Play Store. The number of victims targeted by WyrmSpy and DragonEgg is unknown.”

Details about the takeover

WyrmSpy and DragonEgg are linked to APT41 through their use of a command-and-control server with the IP address 121.42.149[.]52, which resolves to a domain (“vpn2.umisen[.]com”) previously associated with the group’s infrastructure.

WyrmSpy includes a hard-coded C2 IP address, “121.42.149[.]52”, used as a resolving IP for a known APT41 domain.

Source: Lookout

Once installed, both types of malware 

  • request intrusive permissions and have sophisticated data collection and exfiltration capabilities, gathering users’ photos, locations, SMS messages, and audio recordings.
  • After installation, the malware also downloads additional modules from a now-offline C2 server to avoid detection.

WyrmSpy can disable 

  • Security-Enhanced Linux (SELinux), an Android security feature, uses rooting tools like KingRoot11 to gain elevated privileges on infected devices.

DragonEgg, on the other hand, 

  • contacts the C2 server to fetch an unknown tertiary module posing as a forensics program.

Concluding thoughts

Kristina Balaam, a senior threat researcher at Lookout, warned about the growing threat of advanced Android malware like WyrmSpy and DragonEgg, which can collect extensive data from compromised devices.

Keeping this in mind, it is essential to keep your devices updated. Also, there is an immense need to keep data secure through the best data management tools.

author

PureVPN

date

July 20, 2023

time

2 years ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Related Stories

Snapchat Down Worldwide Amid Major AWS Outage: What We Know So Far

Snapchat Down Worldwide Amid Major AWS Outage: What We Know So Far
Posted on October 20, 2025
Slack Faces Partial Outage: Users Report Message Delays and Loading Issues

Slack Faces Partial Outage: Users Report Message Delays and Loading Issues
Posted on October 20, 2025
Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect
Posted on October 8, 2025

Have Your Say!!