ActionSpy is new Android spyware that has recently, discovered by the security researchers and is mostly targeting users from Turkey, Tibet, and Taiwan. Moreover, the attackers are using this spyware either with a fake website or with the watering-whole website.
The ActionSpy spyware was first discovered in April 2020, but the spyware has been running at least since 2017. As its impact was powerful, and this spyware is damaging all the content and data of the users.
Security researchers from Trend Micro observed a phishing page in April 2020, which has been drawn from a third-party web store. The whole spyware is based on the fact that one of the ill-disposed scripts implanted on the page, and then it was treated on a domain relating to the group.
Earth Empusa, also recognized as Evil Eye or Poison group, that belived to be orginated from China. This group also has a background that says that it mostly targets the users of Tibet.
Moreover, Earth Empusa has sent several malicious links as a WhatsApp text to the users of Tibet. They sent these messages between November 2018 and May 2019. Well, during this mission, the threat actors disguised as NGO workers and journalists.
As per the researchers, members of Earth Empusa are currently circulating the ActionSpy by inserting code with the help of watering-hole pages or fake websites. But, the researchers have announced that they obtained a phony website imitating news pages from the World Uighur Congress website to diffuse the spyware.
Not only, this but the threat actors have also used some legitimate websites as well so that users will believe them without any second thought.
To carry out this program, the attackers need to install the ActionSpy software on the system of the target or victim; once done, it will connect to the Command and Control (Cs) server, and DES encrypts these servers.
The experts affirmed that the decryption key is created in native code – that helps in making static analysis of ActionSpy more complex. After that, every 30 seconds, the spyware would assemble primary device data which generally, include a phone number, battery status, and some more.
malware carries an array of modules, including ones enabling it to assemble device location, call logs, contact info, and SMS messages. More importantly, it advises users to switch on the Android Accessibility service, using a prompt.
The Accessibility Service, which has earlier been leveraged by cybercriminals in Android attacks, helps the users with limitations. And they run in the background of the device and receive callbacks by the system during the “AccessibilityEvents.”
Hackers Launching “ActionSpy” via phishing Attacks
The Earth Empusa’s utilizes the phishing pages and are related to the recent statement of Operation Poisoned News; they also used web news pages as a lure to utilize mobile devices. But, Earth Empusa utilized social engineering lures to fool its targets so that they will visit the phishing pages.
The experts also obtained some news web pages, which resemble to have been borrowed from Uyghur-related news sites, and then it has been treated on their server in March 2020. The most crucial point is that all pages were added with a script to load the cross-site scripting framework, BeEF.
Modules Supported by ActionSpy
|location||Get device location latitude and longitude|
|geo||Get geographic area like province, city, district, street address|
|contacts||Get contacts info|
|calling||Get call logs|
|sms||Get SMS messages|
|nettrace||Get browser bookmarks|
|software||Get installed APP info|
|process||Get running processes info|
|wifi connect||Make device connect to a specific Wi-Fi hotspot|
|wifi disconnect||Make the device disconnect to Wi-Fi|
|wifi list||Get all available Wi-Fi hotspots info|
|dir||Collect specific types of file list on SDCard, like txt, jpg, mp4, doc, xls…|
|file||Upload files from device to C&C server|
|voice||Record the environment|
|camera||Take photos with camera|
|Get the structure of WeChat directory|
|wxfile||Get files that received or sent from WeChat|
|wxrecord||Get chat logs of WeChat, QQ, WhatsApp, and Viber|
Violation of Accessibility
A third-party app couldn’t obtain files of other users on Android, and this makes it challenging for ActionSpy to steal chat log data from different messaging apps like WeChat instantly without root authority.
ActionSpy, in return, utilizes an indirect way: it advises users to switch on its Accessibility service and demands that it is a memory trash cleaning service. Once the user allows the Accessibility service, the ActionSpy will control the Accessibility events on the required device. Well, this occurs when something “unusual” appears in the user interface.
All these methods that are used by the threat actors are very crafty and dangerous. That’s why the security experts clearly recommended that all users should keep their devices updated and install apps just from designated places, like from Google Play Store or the App Store.