New findings have identified connections between an Android spyware called DragonEgg and another sophisticated modular iOS surveillanceware tool named LightSpy.
DragonEgg, alongside WyrmSpy (aka AndroidControl), was first disclosed by Lookout in July 2023 as a strain of malware capable of gathering sensitive data from Android devices. It was attributed to the Chinese nation-state group APT41.
On the other hand, details about LightSpy came to light in March 2020 as part of a campaign dubbed Operation Poisoned News in which Apple iPhone users in Hong Kong were targeted with watering hole attacks to install the spyware.
Now, according to Dutch mobile security firm ThreatFabric, DragonEgg attack chains involve the use of a trojanized Telegram app that's designed to download a second-stage payload (smallmload.jar), which, in turn, is configured to download a third component codenamed Core.
Further analysis of the artifacts has revealed that the Android variant of the implant has been actively maintained since at least December 11, 2018, with the latest version released on July 13, 2023. This includes 14 related plugins and the core implant that supports 24 commands.
The core module of LightSpy (i.e., DragonEgg) functions as an orchestrator plugin responsible for gathering the device fingerprint, establishing contact with a remote server, awaiting further instructions, and updating itself as well as the plugins.
"LightSpy Core is extremely flexible in terms of configuration: operators can precisely control the spyware using the updatable configuration," ThreatFabric said, noting that WebSocket is used for command delivery and HTTPS is used for data exfiltration.
Some of the notable plugins include a locationmodule that tracks victims' precise locations, soundrecord that can capture ambient audio as well as from WeChat VOIP audio conversations, and a bill module to gather payment history from WeChat Pay.
LightSpy's command-and-control (C2) comprises several servers located in Mainland China, Hong Kong, Taiwan, Singapore, and Russia, with the malware and WyrmSpy sharing the same infrastructure.
ThreatFabric said it also identified a server hosting data from 13 unique phone numbers belonging to Chinese cell phone operators, raising the possibility that the data either represents the testing numbers of LightSpy developers or victims'.
The links between DragonEgg and LightSpy stem from similarities in configuration patterns, runtime structure and plugins, and the C2 communication format.
"The way the threat actor group distributed the initial malicious stage inside popular messenger was a clever trick," the company said.
"There were several benefits of that: the implant inherited all the access permissions that the carrier application had. In the case of messenger, there were a lot of private permissions such as camera and storage access."