- Surveillance tools are used by Chinese law enforcement officers
- Messages, call logs and audio recordings were made
- Spyware and surveillance software is becoming increasingly common
A new surveillance tool has been used by Chinese law enforcement since 2017 to collect “extensive” information from mobile devices.
A new report from Lookout notes that EagleMsgSpy is a legal interception tool developed by a Chinese software company. The spyware targets Android devices and requires physical installation, most likely through law enforcement gaining access and unlocking the device. From there, a headless surveillance module remains on the device, which collects and exfiltrates large amounts of sensitive data.
By analyzing the installer app, cybersecurity researchers suspect that the surveillance tool is being used by multiple customers of the software vendor. This is because the user must enter a ‘channel’ that corresponds to an account.
Extensive surveillance
Researchers found evidence that the spyware is actively maintained by developers who continually protect the software from discovery and analysis, with an evolution in the “sophistication of the use of obfuscation and storage of encrypted keys over time.”
As part of the surveillance, the software collects hordes of information about the victim, including all messages from sites like Telegram and WhatsApp, call logs, text messages, GPS coordinates, audio recordings and screenshots of the device used.
This is not the first time in recent months that Chinese state actors have used spyware. Earlier this year, the American telecommunications companies Verizon and AT&T were hacked.
The breach leveraged existing “lawful interception” infrastructure by US law enforcement, which was of course then opportunistically exploited by threat actors. National security concerns in the US (and presumably China) are driving spyware and law enforcement backdoors to be developed at an alarming rate.
Critics of this software point out that the existence of spyware and surveillance tools, even if they are only used by officially sanctioned actors, means that there is a risk of the tools being exploited by threat actors.
