Android ‘ActionSpy’ Malware Targets Turkic Minority Group

The ongoing vogue of cyber threats continues. Researchers have newly identified Android spyware named “ActionSpy” that is currently targeting victims across Tibet, Turkey, and Taiwan. Usually, the backdoor spyware is disseminated over watering-hole websites or via illegitimate websites.
According to the investigation, the malware is developed by the Earth Empusa threat group. The threat group is spreading the malware by injecting code into bogus and watering-hole pages. Investigators consider “ActionSpy” as a vigorous medium to be used in ongoing campaigns that are targeting Uyghur victims. The Uyghurs, a Turkic minority ethnic group, affiliated with Central and East Asia. Spyware attacks have earlier targeted ethnic groups. The very first spyware attack was discovered in April 2020. Despite its official release, researchers believe that it existed for at least three years based on its certificate flag time.
Officials stated that:
“ActionSpy, which may have been around since 2017, is Android spyware that allows the attacker to collect information from the compromised devices,” said researchers with Trend Micro in a Thursday analysis. “It also has a module designed for spying on instant messages… and collecting chat logs from four different instant messaging applications.”Researchers discovered ActionSpy being spread via several pages in April 2020. How these pages were distributed in the wild – whether via phishing emails or otherwise – is also unclear, researchers said.
The majority of the sites were found to be illegitimate. For example, one page replicated news pages from the website of the World Uyghur Congress, while the other authentic sites were found to be compromised.
Working procedure of ActionSpy
Hacker spy your data file


The attacker has to inject the website with a cross-site scripting framework, BeEF. BeEF that stands for Browser Exploitation Framework is typically a web pentesting tool designed for CyberSecurity Analysts. Further, investigators say that the framework is used by threat actors to impersonate the users.
Meanwhile, in late April 2020, researchers observed different types of websites that appeared to be cloned from a third-party web service. It tricked the users into downloading an Uyghur video app that was popularly known to Tibetan Android users, called “Ekran.” The webpage was found to be inoculated with two scripts that were designed to load the BeEF framework, including the ScanBox framework. The purpose of there frameworks was to gather data about the visitor’s system without tainting the system.

Insights of ActionSpy

When the download is completed, ActionSpy then executes a shell that connects to its Command and Control (Cs) server. Usually, the server is encrypted by DES. Investigators said the decryption key is generated in its regional code. It is programmed in such a way that, every 30 seconds, spyware would gather some authentic device information (including IMEI, phone number, manufacturer, battery status, etc. Further, all information was intended to send to the C2 server.
Basically, ActionSpy sustains an array of modules that includes the privilege of administrative permissions, including ones like device location, contact info, call logs, and SMS messages. The backdoor android spyware was also capable of making a device connect or disconnect to Wi-Fi, take photos with the camera and screenshots of the device and get chat logs from messaging apps like WhatsApp, Viber, and WeChat.
Apart from these, “ActionSpy” also provokes users to turn on the Android Accessibility service. This service allows us to clean the memory garbage service. Typically, it was leveraged by cyber crooks in Android-based attacks and aids users with impediments. It operates in the background and props callbacks by the system after the execution of “AccessibilityEvents.”
Once the user enables the Accessibility service, ActionSpy will then monitor all the activities via “AccessibilityEvents.” The ability to parse the activity and harvesting credentials information is what makes it more lethal than the other Spywares.
preventive measures for spyware

Eight quick mitigating measures for “AndroidSpy.”

Spywares are the most lethal weapon of modern time. They are specially designed to escalate administrative permissions. So to counter such a problem, you must be loaded with some quicks that would help you to prevent backdoor Spywares.
  1. Enable WAF(web application firewall).
  2. Traverse through your login history.
  3. Check the list of authorized devices.
  4. Install anti-malware software and WAF(web application firewall).
  5. Don’t delay your security updates.
  6. Never give out your passwords, ever.
  7. Avoid clicking on malicious or spam links in emails.
  8. Always perform offline backups.

- Advertisement -

Prashant Singh
Prashant Singh
Prashant is a student of Computer Science and Engineering at NIT Allahabad. He is also a web pentester and cybersecurity analyst. He may be an introvert and sociable person at the same time. He loves meeting new people and he is in a journey to explore himself. Currently working as a content writer at BLARROW.TECH.

- Advertisement -

Latest articles

Related articles