According to security researchers, Chinese law enforcement has been using a new surveillance technique they discovered to gather private data from Android handsets in China.
Researchers at Lookout, a cybersecurity company based in the United States, found the tool, which they called EagleMsgSpy. The company claimed to have obtained multiple versions of the spyware, which it claims has been in use since “at least 2017,” during the Black Hat Europe conference on Wednesday.
Lookout senior intelligence analyst Kristina Balaam told TechAbouts that “several” mainland Chinese public security organizations have been using the spyware to gather “vast” data from mobile devices. Call logs, contacts, GPS data, bookmarks, and messages from third-party apps like WhatsApp and Telegram are all included in this. According to data Lookout provided with TechCrunch, EagleMsgSpy can also start screen recordings on smartphones and record audio while the device is in use.
The software can gather “real-time mobile phone information of suspects through network control without the suspect’s awareness, monitor all mobile phone actions of criminals and summarize them,” according to a manual Lookout was able to download.
According to Balaam, she has “high confidence” that EagleMsgSpy was created by Wuhan Chinasoft Token Information IT, a private Chinese IT company, because of infrastructure overlap. According to her, the infrastructure of the tool also shows the developer’s connections to mainland China’s public security bureaus, which are government establishments that essentially serve as local police stations.
The number of people EagleMsgSpy has targeted is unknown at this time. Although “anyone coming to the region could be at risk,” Balaam stated that the gadget is probably being utilized mostly for domestic monitoring.
“I think if it was just about domestic surveillance, they would stand up their infrastructure in some place that we couldn’t access from North America,” Balaam said. “I think it gives us a bit of insight into the fact that they’re hoping to be able to track people if they leave, whether they are Chinese citizens, or not.”
Additionally, according to Lookout, it noticed two IP addresses associated with EagleMsgSpy that have been utilized by other surveillance programs connected to China, like CarbonSteal, which has been used in past campaigns to target the Uyghur and Tibetan communities.
EagleMsgSpy presently requires physical access to a target device, according to Lookout. As recently as late 2024, the technology is still being developed, Balaam told TechCrunch, adding that “it is quite plausible” that EagleMsgSpy may be altered to not require physical access.
According to Lookout, internal materials it was able to collect hint at the possibility of an iOS version of the spyware that has not been found yet.
