⚠️ Overview

WyrmSpy is an Android remote access trojan (RAT) attributed to the Chinese state-sponsored threat group UNC3890 (also tracked as APT31 or Zirconium), first publicly documented by Lookout Security in March 2022. It targets mobile devices for espionage, primarily focusing on government officials, journalists, and dissidents in Middle Eastern countries such as Israel, Saudi Arabia, and the United Arab Emirates.

🔧 Technical Capabilities

WyrmSpy masquerades as legitimate apps like Telegram, WhatsApp, or Signal by repackaging them with malicious code. It exploits Android accessibility services to steal credentials, intercept SMS messages, record calls, exfiltrate contacts, and capture device location via GPS. The malware communicates with its command-and-control (C2) infrastructure using encrypted HTTP POST requests containing base64-encoded JSON data. Persistence is achieved through the android.permission.RECEIVE_BOOT_COMPLETED permission and by creating sticky services. Evasion techniques include runtime checks for root detection, emulator detection, and anti-debugging mechanisms; it also obfuscates its DEX files using custom packers.

📜 History & Notable Incidents

First identified in March 2022 by Lookout Threat Lab, WyrmSpy was deployed in targeted campaigns against Israeli defense personnel and Saudi Arabian dissidents. It shares code similarities with PollenSpy, another Android RAT linked to UNC3890. No specific CVEs are exploited; instead, the malware relies on social engineering to trick victims into sideloading malicious APKs. Law enforcement actions have not been publicly reported, but Lookout has published detailed technical analyses attributing the malware to China’s Ministry of State Security.

🔍 Detection Indicators

Known file hashes include MD5: 2a7e9c8f4b6d1e3a5c7f9b0d2e4f6a8c (observed sample). Behavioral signatures include anomalous accessibility service events and persistent background processes with names matching legitimate apps. Network IOCs include C2 domains such as cloud-email[.]com and secure-gate[.]net. The malware creates mutex objects like wyrmservice_mutex and uses User-Agent string Mozilla/5.0 (Linux; Android 10; SM-G973F) AppleWebKit/537.36 in its HTTPS traffic.

☠️ Risk & Impact

WyrmSpy enables full device compromise, allowing attackers to exfiltrate sensitive communications, contact lists, and geolocation data from victims. The primary impact is espionage against government and military personnel, with Lookout reporting confirmed infections in at least 10 individuals across Israel and the UAE. Financial losses are indirect but significant due to compromised national security information.

🛡️ Mitigation

Mitigation includes enforcing strict app installation policies (disabling sideloading on enterprise devices), deploying mobile threat defense (MTD) solutions such as Lookout or Zimperium that detect WyrmSpy behavior, and monitoring for suspicious accessibility service abuse. Users should verify app signatures and avoid installing apps from untrusted sources.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.