{ "id": "5409f0df-5d37-4caf-ae55-3984c05143ba", "created_at": "2026-04-06T00:18:36.833955Z", "updated_at": "2026-04-10T03:35:27.53688Z", "deleted_at": null, "sha1_hash": "d41d17387b00f43bc8db3a8730085e43ee26a267", "title": "Phishing Attacks from Earth Empusa Reveal ActionSpy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 92816, "plain_text": "Phishing Attacks from Earth Empusa Reveal ActionSpy\r\nBy Ecular Xu, Joseph C Chen ( words)\r\nPublished: 2020-06-11 · Archived: 2026-04-05 21:22:21 UTC\r\nWhile tracking Earth Empura, also known as POISON CARPopen on a new tab/Evil Eyeopen on a new tab, we\r\nidentified an undocumented Android spyware we have named ActionSpy (detected by Trend Micro as\r\nAndroidOS_ActionSpy.HRX). During the first quarter of 2020, we observed Earth Empusa’s activity targeting users\r\nin Tibet and Turkey before they extended their scope to include Taiwan. The campaign is reportedly targeting victims\r\nrelated to Uyghurs by compromising their Android and iOS mobile devices. This group is known to use watering hole\r\nattacks, but we recently observed them using phishing attacks to deliver their malware.\r\nThe malware that infects the mobile devices is found to be associated with a sequence of iOS exploit chain attacks in\r\nthe wild since 2016open on a new tab. In April 2020, we noticed a phishing page disguised as a download page of an\r\nAndroid video application that is popular in Tibet. The phishing page, which appears to have been copied from a\r\nthird-party web store, may have been created by Earth Empusa. This is based on the fact that one of the malicious\r\nscripts injected on the page was hosted on a domain belonging to the group. Upon checking the Android application\r\ndownloaded from the page, we found ActionSpy.\r\nintel\r\nFigure 1. The Earth Empusa attack chain\r\nActionSpy, which may have been around since 2017, is an Android spyware that allows the attacker to collect\r\ninformation from the compromised devices. It also has a module designed for spying on instant messages by abusing\r\nAndroid Accessibilityopen on a new tab and collecting chat logs from four different instant messaging applications.\r\nPhishing attacks delivering ActionSpy\r\nEarth Empusa’s use of phishing pages is similar to our recent report on Operation Poisoned Newsnews article, which\r\nalso used web news pages as a lure to exploit mobile devices. Earth Empusa also used social engineering lures to\r\ntrick its targets into visiting the phishing pages. We found some news web pages, which appear to have been copied\r\nfrom Uyghur-related news sites, hosted on their server in March 2020. All pages were injected with a script to load\r\nthe cross-site scripting framework BeEFopen on a new tab. We suspect the attacker used the framework to deliver\r\ntheir malicious script when they found a targeted victim browsing the said sites. However, our investigation did not\r\nyield any script when we attempted to access said phishing pages. How these pages were distributed in the wild is\r\nalso unclear.\r\nintelFigure 2. A news page copied from the World Uyghur Congress website used for loading the BeEF framework\r\nUpon continued investigation in late April 2020, we found another phishing page that appears to be copied from a\r\nthird-party web store and injected with two scripts to load ScanBoxopen on a new tab and BeEF frameworks. This\r\nphishing page invites users to download a video app that is known to Tibetan Android users. We believe the page was\r\ncreated by Earth Empusa because the BeEF framework was running on a domain that reportedly belongs to the group.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/\r\nPage 1 of 6\n\nThe download link was modified to an archive file that contains an Android application. Analysis then revealed that\r\nthe application is an undocumented Android spyware we named ActionSpy.\r\nintel intelFigures 3 and 4. Fake Android application download page (In original language and translated into\r\nEnglish)\r\nintelFigure 5. The injection of ScanBox (above) and BeEF (below) on the phishing page shows overlap to Earth\r\nEmpusa’s domain\r\nBreaking Down ActionSpy\r\nThis malware impersonates a legitimate Uyghur video app called Ekran. The malicious app has the same appearance\r\nand features as the original app. It is able to achieve this with VirtualAppopen on a new tab. In addition, it’s also\r\nprotected by Bangcleopen on a new tab to evade static analysis and detection.\r\nintel\r\nFigure 6. ActionSpy’s icon (left) and appearance (right)\r\nintel\r\nFigure 7. ActionSpy is protected by Bangcle\r\nA legitimate Ekran APK file is embedded in the ActionSpy assets directory, and installed in virtual environment after\r\nVirtualApp is ready when ActionSpy is launched the first time.\r\nintel intel\r\nFigure 8 and 9. Install real “Ekran” (above) and launch it (below)\r\nActionSpy’s configuration, including its C\u0026C server address, is encrypted by DES. The decryption key is generated\r\nin native code. This makes static analysis difficult for ActionSpy.\r\nEvery 30 seconds, ActionSpy will collect basic device information like IMEI, phone number, manufacturer, battery\r\nstatus, etc., which it sends to the C\u0026C server as a heartbeat request. The server may return some commands that will\r\nbe performed on the compromised device. All the communication traffic between C\u0026C and ActionSpy is encrypted\r\nby RSA and transferred via HTTP.\r\nintel\r\nFigure 10. Collected device information\r\nActionSpy supports the following modules:\r\nModule Name Description\r\nlocation Get device location latitude and longitude\r\ngeo Get geographic area like province, city, district, street address\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/\r\nPage 2 of 6\n\ncontacts Get contacts info\r\ncalling Get call logs\r\nsms Get SMS messages\r\nnettrace Get browser bookmarks\r\nsoftware Get installed APP info\r\nprocess Get running processes info\r\nwifi connect Make device connect to a specific Wi-Fi hotspot\r\nwifi disconnect Make the device disconnect to Wi-Fi\r\nwifi list Get all available Wi-Fi hotspots info\r\ndir Collect specific types of file list on SDCard, like txt, jpg, mp4, doc, xls...\r\nfile Upload files from device to C\u0026C server\r\nvoice Record the environment\r\ncamera Take photos with camera\r\nscreen Take screenshot\r\nwechat Get the structure of WeChat directory\r\nwxfile Get files that received or sent from WeChat\r\nwxrecord Get chat logs of WeChat, QQ, WhatsApp, and Viber\r\nAbuse of Accessibility\r\nNormally, a third-party app can’t access files belonging to others on Android. This makes it difficult for ActionSpy to\r\nsteal chat log files from messaging apps like WeChat directly without root permission. ActionSpy, in turn, adopts an\r\nindirect approach: it prompts users to turn on its Accessibility service and claims that it is a memory garbage cleaning\r\nservice.\r\nintel\r\nFigure 11. Prompt to turn on Accessibility\r\nOnce the user enables the Accessibility service, ActionSpy will monitor Accessibility events on the device. This\r\noccurs when something “notable” happensopen on a new tab in the user interface (such as clicked buttons, entered\r\ntext, or changed views). When an Accessibility Event is received, ActionSpy checks if the event type is\r\nVIEW_SCROLLEDopen on a new tab or WINDOW_CONTENT_CHANGEDopen on a new tab and then check if\r\nthe events came from targeted apps like WeChat, QQ, WhatsApp, and Viber. If all the above conditions are met,\r\nActionSpy parses the current activity contents and extracts information like nicknames, chat contents, and chat time.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/\r\nPage 3 of 6\n\nAll the chat information is formatted and stored into a local SQLite Database. Once a “wxrecord” command is\r\npushed, ActionSpy will gather chat logs in the database and convert them into JSON format before sending it to its\r\nC\u0026C server.\r\nintelFigure 12. Code snippet of parsing chat information\r\nWe believe ActionSpy has existed for at least three years, based on its certificate sign time (2017-07-10). We also\r\nsourced some old ActionSpy versions that were created in 2017.\r\nintel\r\nFigure 13. Certificate info\r\nintel\r\nFigure 14. The earlier version (created in 2017)\r\nMore on Earth Empusa: Watering hole attacks to compromise iOS systems\r\nEarth Empusa also employs watering hole attacks to compromise iOS devices. The group injected their malicious\r\nscripts on websites that their targets could potentially visit and load the injected script from it. We found two kinds of\r\nattacks they injected into compromised websites:\r\nOne injection we found is the ScanBox framework. The framework can collect information from a website’s\r\nvisitors by using JavaScript to record keypresses and harvest the profiles of the OS, browser, and browser\r\nplugins from the client environment. The framework is usually used during the reconnaissance stage, allowing\r\nthem to understand their targets and prepare for the next stage of the attack.\r\nAnother injection is their exploit chain framework, which exploits the vulnerabilities on the iOS devices.\r\nWhen a victim accesses the framework, it checks the User-Agent header of the HTTP request to determine the\r\niOS version on the victim’s device and reply with a corresponding exploit code. If the User-Agent doesn’t\r\nbelong to any of the targeted iOS versions, the framework will not deliver any additional payload.\r\nintelFigure 15. An example of iOS exploit chain traffic\r\nIn the first quarter of 2020, the exploit chain framework was upgraded to include a newer iOS exploit that can\r\ncompromise iOS versions 12.3, 12.3.1, and 12.3.2. Other researchers have also publishedopen on a new tab details of\r\nthis updated exploit.\r\nintelFigure 16. The script for determining the iOS version and launching the exploit code\r\nWe have observed these injections on multiple Uyghur-related sites since the start of 2020. In addition, we have also\r\nidentified a news website and political party website in Turkey that have been compromised and injected with the\r\nsame attack. In a more recent development, we found the same injection on a university website as well as a travel\r\nagency site based in Taiwan in March 2020. These developments have led as to believe that Earth Empusa is\r\nwidening the scope of their targets.\r\nBest practices and solutions\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/\r\nPage 4 of 6\n\nEarth Empusa is still very active in the wild. We are constantly tracking and monitoring the threat group as it\r\ncontinues to develop new ways to attack its targets.\r\niOS users are advised to keep their devices updated. Android users, on the other hand, are encouraged to install apps\r\nonly from trusted places such as Google Play to avoid malicious apps.\r\nUsers can also install security solutions, such as the Trend Micro™ Mobile Securityproducts, that can block\r\nmalicious apps. End users can also benefit from their multilayered security capabilities that secure the device owner’s\r\ndata and privacy, and features that protect them from ransomware, fraudulent websites, and identity theft.\r\nFor organizations, the Trend Micro™ Mobile Security for Enterpriseproducts suite provides device, compliance and\r\napplication management, data protection, and configuration provisioning. The suite also protects devices from attacks\r\nthat exploit vulnerabilities, prevents unauthorized access to apps and detects and blocks malware and fraudulent\r\nwebsites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading\r\nsandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy\r\nleaks, and application vulnerability.\r\nIndicators of Compromise\r\nAll of the malicious apps below are detected as AndroidOS_ActionSpy.HRX.\r\nSHA256 Package Name Label\r\n56a2562426e504f42ad9aa2bd53445d8e299935c817805b0d9b9431521769271 com.omn.vvi Ekran\r\nb6e2fdbf022cd009585f62a3de71464014edd58125eb7bc15c2c670d6d5d3590 com.isyjv.klxblnwc.r 系统优化\r\nde6065c63f05f8cddaec2f43a3789cca7d8e16221bd04bf3ce8092809b146ebe com.isyjv.klxblnwc.r 系统优化\r\n2117e2252fe268136a2833202d746d67bf592de819cc1600ac8d9f2738d8d4d6 com.isyjv.klxblnwc\r\nService\r\nRuntime\r\nLibrary\r\n588b62a2e0bffa8935cd08ae46255a972b0af4966483967a3046a5df59d38406 com.isyjv.klxblnwc\r\nService\r\nRuntime\r\nLibrary\r\nd6478b4b7f0ea38947d894b1a87baf4bed7a1ece934fff9dfc233610de232814 com.isyjv.klxblnwc\r\nService\r\nRuntime\r\nLibrary\r\n8d0a123e0fe91637fb41d9d9650a4b9c75b6ce77a2b51ac36f05a337da7afd80 com.ecs.esap\r\nService\r\nRuntime\r\nLibrary\r\n9bc16f635fde4ff0b6b02b445a706d885779611b7813c5607ab88fdff43fcc2f com.cd.weixin VWechat\r\n334dbd15289aaeaf3763f1702003de52ff709515246902f51ee87a41467a8e55 com.android.dmp.rec Recording\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/\r\nPage 5 of 6\n\n50c10ab93910a6e617c85a03f8c38a10a7c363e2d37b745964e696da8f98a93d com.android.dmp.rec Recording\r\n6575eeda2a8f76170fb6034944eeda5c88dac8009edccc880124fa729dd3c1fd com.android.dmp.l Location\r\neff30f6cc2d5d04ce4aef0c50f1fb375fb817a803bf3e8e08c847f04658185ba com.android.dmp.l Location\r\na0a48d7e0762ab24b2ec3ec488b011db866992db5392926fe43dd3d1c398e30d com.android.dmp.cm Camera\r\n088769a80b39d0da26c676a5a52eaccdb805dc67cba85e562785c375c642b501 com.android.dmp.c Core\r\n87306b59aaaba0ea92ea6a05feb9366eeb625e8da08ed3ef6c86a5cf394fada5 com.android.dmp.c Core\r\nIndicator Type\r\ngotossl.ml Domain used by Earth Empusa\r\ngoforssl.top Domain used by Earth Empusa\r\ngeo2ipapi.org Domain used by Earth Empusa\r\nappbuliki.com Domain used by Earth Empusa\r\numutyole.com Domain used by Earth Empusa\r\nt.freenunn.com Domain used by Earth Empusa\r\nstart.apiforssl.com Domain used by Earth Empusa\r\nbloomberg.com.cm Domain used by Earth Empusa\r\nstatic.apiforssl.com Domain used by Earth Empusa\r\ncdn.doublesclick.me Domain used by Earth Empusa\r\nstatic.doublesclick.info Domain used by Earth Empusa\r\nstatus.search-sslkey-flush.com Domain used by Earth Empusa\r\nhttp://114.215.41.93/ ActionSpy C\u0026C URL\r\nhttp://static.doubles.click:8082/ ActionSpy C\u0026C URL\r\nMITRE ATT\u0026CK Techniques\r\nintel\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-emp\r\nusa/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/" ], "report_names": [ "new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa" ], "threat_actors": [ { "id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe", "created_at": "2023-01-06T13:46:39.056888Z", "updated_at": "2026-04-10T02:00:03.198866Z", "deleted_at": null, "main_name": "POISON CARP", "aliases": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ], "source_name": "MISPGALAXY:POISON CARP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574", "created_at": "2022-10-25T16:07:24.064197Z", "updated_at": "2026-04-10T02:00:04.856578Z", "deleted_at": null, "main_name": "Poison Carp", "aliases": [ "Earth Empusa", "Evil Eye", "EvilBamboo", "Poison Carp", "Red Dev 16", "Sentinel Taurus" ], "source_name": "ETDA:Poison Carp", "tools": [ "ActionSpy", "AxeSpy", "BADSIGNAL", "BADSOLAR", "BadBazaar", "IRONSQUIRREL", "IceCube", "MOONSHINE", "PoisonCarp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434716, "ts_updated_at": 1775792127, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d41d17387b00f43bc8db3a8730085e43ee26a267.pdf", "text": "https://archive.orkl.eu/d41d17387b00f43bc8db3a8730085e43ee26a267.txt", "img": "https://archive.orkl.eu/d41d17387b00f43bc8db3a8730085e43ee26a267.jpg" } }