GoldenEagle is an Android threat that is believed to date back to 2012 – of course, the implant has undergone major updates throughout the years, and the malware's functionality has changed greatly. The earliest samples of the GoldenEagle malware used a very basic method to exfiltrate data from infected Android devices – it relied on the SMTP protocol to send emails to the attacker's inbox. The contents of these emails were very basic and included text-based data about the infected device and the user's activity.

Newer updates introduced the use of the HTTP protocol, therefore greatly increasing the amount of data that the GoldenEagle malware can steal from infected devices. Despite being active for approximately seven years, the GoldenEagle campaigns have not spread worldwide – they appear to focus on specific communities such as the Uyghurs in China, and political movements in Tibet.

Trojanized Android Applications Target Members of the Tibetan and Uyghur Communities

The malware was often spread via Trojanized versions of popular applications among the users targeted by the campaign. For example, the implant was delivered to Uyghurs via fake Uyghur applications regarding flights, news, keyboard layouts, social media, messaging, and the Quran. In the meantime, the GoldenEagle campaign against Tibetan users relied on fake applications such as 'Travel Notes in Tibet,' 'Quick Search Tibet,' and 'Beautiful Featured Tibet Wallpaper.'

The latest samples of the GoldenEagle shared many similarities with the CarbonSteal implant that targets the same groups of users – a reason to suspect that the criminals behind these malware samples are either the same or share similar ideals. In total, the latest versions of the GoldenEagle support a wide range of features such as:

• Access and collect the contact list.
• Monitor text messages and call logs.
• Get a list of installed applications.
• Take screenshots of the screen, or take photos via the rear/front cameras.
• Record audio calls.
• Use the GPS sensor.
• Collect files and messages related to popular chat applications in China.

Although the GoldenEagle campaign appears to focus on victims in China, there are plenty of Android malware packages that are active in other parts of the world. You can keep your device protected by using an up-to-date Android anti-malware application, as well as by being careful about the Android applications you interact with.