FireEye reports on a Chinese-sponsored espionage campaign to eavesdrop on text messages, violating telco servers: yet another example that demonstrates why end-to-end message encryption is so important.

A new malware, dubbed “Messagetap”, developed by the Chinese APT41 [2] hacker group to deploy in the telecommunications network and designed to monitor and record SMS traffic and IMSI numbers of certain phone numbers.

The malware was discovered by FireEye [1] during an investigation at a telecommunications network provider.

APT41's newest espionage tool, MESSAGETAP, was discovered during a 2019 investigation at a telecommunications network provider within a cluster of Linux servers. Specifically, these Linux servers operated as Short Message Service Center (SMSC) servers. In mobile networks, SMSCs are responsible for routing Short Message Service (SMS) messages to an intended recipient or storing them until the recipient has come online. With this background, let's dig more into the malware itself.

How it works?

Once this malware get’s installed in a Linux SMSC, it check for the existence of two configuration files: keyword_parm.txt, that contains keywords of geopolitical interest and parm.txt that contains the list of target MSISDN and IMSI numbers.

The malware searches the SMS message contents for keywords from the keyword list, compares the IMSI and Phone numbers with the targets list, and if the compare matches extracts the following data from the network

  • SMS message contents
  • The IMSI number
  • The source and destination phone numbers

and saves them in a CSV file.

Furthermore, FireEye also identified that

the threat actor interacting with call detail record (CDR) databases to query, save and steal records during this same intrusion. The CDR records corresponded to foreign high-ranking individuals of interest to the Chinese intelligence services. Targeting CDR information provides a high-level overview of phone calls between individuals, including time, duration, and phone numbers. In contrast, MESSAGETAP captures the contents of specific text messages.

During 2019, FireEye observed four telecoms organisations being targeted by APT41, and for other telecoms companies targeted by other groups linked to the Chinese state, so warns:

Beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT41. This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance

How to defend yourself from a eavesdropping?

You don't, if your mobile operator is compromized and you're still use SMS.

A good suggestion is avoid use of traditional text message and switch all your comunications to a messaging system with E2E encryption, like Signal, Briar or Riot [3].


  1. MESSAGETAP: Who’s Reading Your Text Messages? | FireEye Inc
  2. APT41: A Dual Espionage and Cyber Crime Operation | FireEye Inc
  3. Why WhatsApp (and Telegram) messages are not really private?