The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Wicked Panda Using WyrmSpy and DragonEgg Android Spyware

Jul 31, 2023 2:33:15 PM / by The Hivemind


Executive Summary

Wicked Panda was observed leveraging WyrmSpy and DragonEgg, two spyware families that target Android devices. 

Key Takeaways

  • Wicked Panda was observed leveraging WyrmSpy and DragonEgg.
  • Both families are used as spyware or surveillanceware and target Android devices.
  • Both apps request extensive device permissions and rely on downloaded modules to achieve full functionality. 


Lookout recently reported on Wicked Panda activity leveraging two Android malware families, WyrmSpy and DragonEgg. Both families are used as spyware or surveillanceware, which falls in line with Wicked Panda’s propensity toward espionage. The use of these malware families indicates Wicked Panda has expanded its targeting to mobile devices. Although Lookout first discovered early samples of these families in 2017 and 2021, they have observed WyrmSpy and DragonEgg being used for activity as recently as April 2023. Lookout linked this activity to Wicked Panda due to the malware’s hardcoded C2, which was a part of known Wicked Panda infrastructure. The apps linked to WyrmSpy and DragonEgg do not appear to be on the official Google Play store and likely came from a third-party app repository. Lookout believes victims were lured to the downloads via social engineering campaigns.

What is WyrmSpy?

WyrmSpy, first detected in 2017, masquerades as a default operating system app used for notifications. Later variants were disguised as adult video content, a food delivery platform, and Adobe Flash. WrymSpy requests extensive device permissions and then leverages modules that are downloaded post-installation. Its capabilities include harvesting and exfiltrating log files and photos and acquiring device location. WyrmSpy can also read and write SMS messages and record audio. Lookout researchers noted that based on the permissions requested, it is highly likely a secondary payload exists for more extensive surveillance capabilities.

What is DragonEgg?

DragonEgg, first detected in 2021, masquerades as a third-party keyboard or messaging app. It also requests extensive device permissions and relies on additional payloads to achieve full functionality. DragonEgg is capable of harvesting and exfiltrating information such as device contacts, SMS messages, external device storage files, device location, audio recordings, and photos.

Who is Wicked Panda?

Wicked Panda, also known as Axiom, Winnti, APT41, and Bronze Atlas, is a sophisticated China nexus threat actor group perpetrating activity in support of or in conjunction with the Chinese Ministry of State Security (MSS) and the People's Liberation Army (PLA). Active since at least 2009, Wicked Panda’s roots seem to have emerged in cybercrime and later evolved into the group’s current form.

Their activity has ranged from criminal, financially motivated attacks to stealthy espionage campaigns in support of Chinese military intelligence collection requirements. Wicked Panda has been known to attack a wide range of targets, including software development companies, computer hardware manufacturers, telecommunications providers, social media companies, video game companies, non-profit organizations, universities, think tanks, and foreign governments. The group has targeted a broad range of entities across the APAC, AMEA, and AMERICAS regions.

Wicked Panda is known for having skilled programmers capable of developing sophisticated tools. The group uses a variety of TTPs, including but not limited to LoTL tactics, phishing, ransomware, cryptocurrency mining, supply chain attacks, China Chopper, Gh0st RaT, PlugX, HighNoon, Derusbi, BioPass RAT, RedXOR, and ShadowPad. The group is also known to steal software signing certificates to use in their campaigns.


PolySwarm has multiple samples of WyrmSpy and Dragon Egg.





















You can use the following CLI command to search for all WyrmSpy samples in our portal:

$ polyswarm link list -f WyrmSpy


You can use the following CLI command to search for all DragonEgg samples in our portal:

$ polyswarm link list -f DragonEgg


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Android, Wicked Panda, Mobile, DragonEgg, WyrmSpy

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts