Researchers Hyperlink DragonEgg Android Spy ware to LightSpy iOS Surveillanceware



Oct 04, 2023THNMobile Safety / Spy ware

Android Spyware and iOS Surveillanceware

New findings have recognized connections between an Android adware known as DragonEgg and one other refined modular iOS surveillanceware software named LightSpy.

DragonEgg, alongside WyrmSpy (aka AndroidControl), was first disclosed by Lookout in July 2023 as a pressure of malware able to gathering delicate information from Android units. It was attributed to the Chinese language nation-state group APT41.

Alternatively, particulars about LightSpy got here to mild in March 2020 as a part of a marketing campaign dubbed Operation Poisoned Information by which Apple iPhone customers in Hong Kong had been focused with watering gap assaults to put in the adware.


Now, in line with Dutch cell safety agency ThreatFabric, the assault chains contain the usage of a trojanized Telegram app that is designed to obtain a second-stage payload (smallmload.jar), which, in flip, is configured to obtain a 3rd element codenamed Core.

Additional evaluation of the artifacts has revealed that the implant has been actively maintained since not less than December 11, 2018, with the newest model launched on July 13, 2023.


The core module of LightSpy (i.e., DragonEgg) features as an orchestrator plugin accountable for gathering the gadget fingerprint, establishing contact with a distant server, awaiting additional directions, and updating itself in addition to the plugins.

“LightSpy Core is extraordinarily versatile by way of configuration: operators can exactly management the adware utilizing the updatable configuration,” ThreatFabric mentioned, noting that WebSocket is used for command supply and HTTPS is used for information exfiltration.

A few of the notable plugins embody a locationmodule that tracks victims’ exact areas, soundrecord that may seize ambient audio in addition to from WeChat VOIP audio conversations, and a invoice module to assemble cost historical past from WeChat Pay.

LightSpy’s command-and-control (C2) contains a number of servers positioned in Mainland China, Hong Kong, Taiwan, Singapore, and Russia, with the malware and WyrmSpy sharing the identical infrastructure.


ThreatFabric mentioned it additionally recognized a server internet hosting information from 13 distinctive cellphone numbers belonging to Chinese language cellphone operators, elevating the likelihood that the info both represents the testing numbers of LightSpy builders or victims’.

The hyperlinks between DragonEgg and LightSpy stem from similarities in configuration patterns, runtime construction and plugins, and the C2 communication format.

LightSpy iOS Surveillanceware

“The best way the menace actor group distributed the preliminary malicious stage inside fashionable messenger was a intelligent trick,” the corporate mentioned.

“There have been a number of advantages of that: the implant inherited all of the entry permissions that the provider utility had. Within the case of messenger, there have been a number of non-public permissions reminiscent of digicam and storage entry.”

Discovered this text fascinating? Observe us on Twitter  and LinkedIn to learn extra unique content material we put up.


Supply hyperlink

What do you think?

Written by TechWithTrends

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings


VMO2 calls in helicopters to plonk 4G towers on distant island


What we realized and what to anticipate