Security researchers have uncovered a new surveillance tool that they say has been used by Chinese law enforcement to collect sensitive information from Android devices in China.
The tool, named “EagleMsgSpy,” was discovered by researchers at U.S. cybersecurity firm Lookout. The company said at the Black Hat Europe conference on Wednesday that it had acquired several variants of the spyware, which it says has been operational since “at least 2017.”
Kristina Balaam, a senior intelligence researcher at Lookout, told TechCrunch the spyware has been used by “many” public security bureaus in mainland China to collect “extensive” information from mobile devices. This includes call logs, contacts, GPS coordinates, bookmarks, and messages from third-party apps including Telegram and WhatsApp. EagleMsgSpy is also capable of initiating screen recordings on smartphones, and can capture audio recordings of the device while in use, according to research Lookout shared with TechCrunch.
A manual obtained by Lookout describes the app as a “comprehensive mobile phone judicial monitoring product” that can obtain “real-time mobile phone information of suspects through network control without the suspect’s knowledge, monitor all mobile phone activities of criminals and summarize them.”
Balaam said that thanks to infrastructure overlap, she assesses with “high confidence” that EagleMsgSpy has been developed by a private Chinese technology company called Wuhan Chinasoft Token Information Technology. The tool’s infrastructure also reveals the developer’s links to public security bureaus — government offices that essentially act as local police stations — in mainland China, she said.
It’s not yet known how many individuals or who have been targeted by EagleMsgSpy. Balaam said the tool is likely being used predominantly for domestic surveillance, but notes that “anybody traveling to the region could be at risk.”
“I think if it was just about domestic surveillance, they would stand up their infrastructure in some place that we couldn’t access from North America,” Balaam said. “I think it gives us a bit of insight into the fact that they’re hoping to be able to track people if they leave, whether they are Chinese citizens, or not.”
Lookout said it also observed two IP addresses tied to EagleMsgSpy that have been used by other China-linked surveillance tools, such as CarbonSteal, which has been used in previous campaigns to target the Tibetan and Uyghur communities.
Lookout notes that EagleMsgSpy currently requires physical access to a target device. However, Balaam told TechCrunch that the tool is still being developed as recently as late 2024, and said “it’s entirely possible” that EagleMsgSpy could be modified to not require physical access.
Lookout noted that internal documents it obtained allude to the existence of an as-yet-undiscovered iOS version of the spyware.