EagleMsgSpy¶
EagleMsgSpy is a lawful intercept surveillance tool developed by Wuhan Chinasoft Token Information Technology Co., Ltd. and deployed by public security bureaus across mainland China. Lookout disclosed the family in December 2024, identifying samples dating back to at least 2017. The tool operates as a two-component system: an installer APK (operated by a law enforcement officer with physical access to the unlocked target device) drops a headless surveillance module that persists in the background and exfiltrates collected data to C2 infrastructure. EagleMsgSpy harvests SMS, call logs, contacts, GPS coordinates, browser bookmarks, network activity, and messages from third-party chat applications including QQ, Telegram, Viber, WhatsApp, and WeChat. It also performs screen recording, screenshot capture, and audio recording. The C2 backend features an admin panel branded "Stability Maintenance Judgment System" (维稳研判系统), and source code references to iOS handling functions suggest a corresponding iOS variant exists, though none has been identified to date.
Quick Reference¶
| Attribute | Details |
|---|---|
| First Seen | 2017 (earliest known samples) |
| Last Seen | Active as of late 2024 |
| Status | Active, under continued development |
| Type | Lawful intercept surveillanceware |
| Attribution | Wuhan Chinasoft Token Information Technology Co., Ltd. (developer); Chinese public security bureaus (operators) |
| Distribution | Physical access to unlocked device required; installer APK not found on Google Play or app stores |
Capabilities¶
Data Collection¶
| Capability | Details |
|---|---|
| SMS harvesting | Collects all SMS messages from the device |
| Call logs | Extracts full call history |
| Contacts | Exfiltrates device contact list |
| GPS location | Tracks device coordinates |
| Browser bookmarks | Harvests saved bookmarks and browsing data |
| Network activity | Monitors network connections and Wi-Fi information |
| Third-party chat interception | Captures messages from QQ, Telegram, Viber, WhatsApp, and WeChat |
| Screen recording | Records the device screen in real time |
| Screenshot capture | Takes screenshots on demand or automatically |
| Audio recording | Records ambient audio via microphone |
Admin Panel¶
The C2 servers host an administrative panel called the "Stability Maintenance Judgment System" (维稳研判系统), built with AngularJS. Authenticated operators can trigger real-time photo collection, initiate audio recordings, capture screenshots, block incoming calls and messages, view geographical heatmaps and distribution of a target's contacts, and retrieve the top 10 most frequently contacted individuals. The panel's source code contains functions like getListIOS() that distinguish between Android and iOS platforms, implying an iOS variant exists even though Lookout has not located one.
Technical Details¶
Two-Component Architecture¶
EagleMsgSpy uses a split installer-payload design:
| Component | Role |
|---|---|
| Installer APK | Operated by the individual with physical device access; deploys and configures the surveillance payload |
| Surveillance module (headless) | Runs without any visible UI; collects data, communicates with C2 |
The installer is never distributed through app stores. Physical access to the unlocked device is the only known delivery method, consistent with a lawful intercept tool designed for use during police operations.
C2 Communication¶
The surveillance module communicates with C2 servers using WebSockets over the STOMP messaging protocol to provide status updates and receive further instructions. Collected data is stored in a hidden directory on the device filesystem, then compressed, password-protected, and exfiltrated to C2 infrastructure. The string tzsafe appears in all known versions of the surveillance module as part of the encryption password, and the domain tzsafe[.]com was found in promotional materials linked to Wuhan Chinasoft Token.
Obfuscation¶
Early variants of EagleMsgSpy employed minimal obfuscation. More recent samples use ApkToolPlus, an open-source application protection tool, to conceal portions of the code.
Infrastructure Connections¶
Two IP addresses tied to EagleMsgSpy C2 SSL certificates overlap with infrastructure used by other China-linked surveillance tools:
| IP Address | Connection |
|---|---|
| 202.107.80[.]34 | Used by 15 PluginPhantom samples from early 2017 to late 2020 |
| 119.36.193[.]210 | Contacted by a CarbonSteal sample |
Both PluginPhantom and CarbonSteal have been used to target Tibetan and Uyghur communities, placing EagleMsgSpy's infrastructure within a broader Chinese state surveillance ecosystem.
Distribution¶
EagleMsgSpy requires physical access to the target's unlocked device. This is not a remotely deployed exploit, it is a tool designed for installation during physical custody of the device (arrests, border crossings, device inspections). Neither the installer nor the surveillance payload has been observed on Google Play or third-party app stores.
Attribution¶
Lookout attributes EagleMsgSpy to Wuhan Chinasoft Token Information Technology Co., Ltd. with high confidence, based on:
- C2 server IP addresses previously pointed to by subdomains associated with the company
- The
tzsafestring in the surveillance module matching the company's promotional domain - Artifacts found in open C2 directories
- Source code references and OSINT investigation
The company develops the tool; Chinese public security bureaus are the operational users.
References¶
- Lookout: EagleMsgSpy Chinese Android Surveillanceware
- The Hacker News: Chinese EagleMsgSpy Spyware Found Exploiting Mobile Devices Since 2017
- BleepingComputer: New EagleMsgSpy Android spyware used by Chinese police
- SecurityWeek: Mobile Surveillance Tool EagleMsgSpy Used by Chinese Law Enforcement
- The Record: Chinese provincial security teams used spyware to collect texts, audio recordings
- Security Affairs: China uses EagleMsgSpy surveillance tool