[Home » Malware » New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa](https://blog.trendmicro.com/trendlabs-security-intelligence/) ## New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa **[Posted on: June 11, 2020](https://blog.trendmicro.com/trendlabs-security-intelligence/2020/06/)** at 5:25 am **[Posted in: Malware,](https://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/)** [Mobile](https://blog.trendmicro.com/trendlabs-security-intelligence/category/mobile/) **[Author: Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/)**  23    **_By Ecular Xu and Joseph C. Chen_** [While tracking Earth Empura, also known as POISON CARP/Evil Eye, we identified an](https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/) undocumented Android spyware we have named ActionSpy (detected by Trend Micro as AndroidOS_ActionSpy.HRX). During the first quarter of 2020, we observed Earth Empusa’s activity targeting users in Tibet and Turkey before they extended their scope to include Taiwan. The campaign is reportedly targeting victims related to Uyghurs by compromising their Android and iOS mobile devices. This group is known to use watering hole attacks, but we recently observed them using phishing attacks to deliver their malware. The malware that infects the mobile devices is found to be associated with a sequence of iOS exploit chain attacks in the [wild since 2016. In April 2020, we noticed a phishing page disguised as a download page of an Android video application](https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html) that is popular in Tibet. The phishing page, which appears to have been copied from a third-party web store, may have been created by Earth Empusa. This is based on the fact that one of the malicious scripts injected on the page was hosted on a domain belonging to the group. Upon checking the Android application downloaded from the page, we found ActionSpy. ----- _Figure 1. The Earth Empusa attack chain_ ActionSpy, which may have been around since 2017, is an Android spyware that allows the attacker to collect information from the compromised devices. It also has a module designed for spying on instant messages by abusing Android Accessibility and collecting chat logs from four different instant messaging applications. **Phishing attacks delivering ActionSpy** [Earth Empusa’s use of phishing pages is similar to our recent report on Operation Poisoned News, which also used web](https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/) news pages as a lure to exploit mobile devices. Earth Empusa also used social engineering lures to trick its targets into visiting the phishing pages. We found some news web pages, which appear to have been copied from Uyghur-related news sites, hosted on their server in March 2020. All pages were injected with a script to load the cross-site scripting framework [BeEF. We suspect the attacker used the framework to deliver their malicious script when they found a targeted victim](https://beefproject.com/) browsing the said sites. However, our investigation did not yield any script when we attempted to access said phishing pages. How these pages were distributed in the wild is also unclear. ----- _Figure 2. A news page copied from the World Uyghur Congress website used for loading the BeEF framework_ Upon continued investigation in late April 2020, we found another phishing page that appears to be copied from a third-party [web store and injected with two scripts to load ScanBox and BeEF frameworks. This phishing page invites users to](https://resources.infosecinstitute.com/scanbox-framework/) download a video app that is known to Tibetan Android users. We believe the page was created by Earth Empusa because the BeEF framework was running on a domain that reportedly belongs to the group. The download link was modified to an archive file that contains an Android application. Analysis then revealed that the application is an undocumented Android spyware we named ActionSpy. ----- _Figures 3 and 4. Fake Android application download page (In original language and translated into English)_ ----- _Figure 5. The injection of ScanBox (above) and BeEF (below) on the phishing page shows overlap to Earth Empusa’s_ _domain_ **Breaking Down ActionSpy** This malware impersonates a legitimate Uyghur video app called Ekran. The malicious app has the same appearance and [features as the original app. It is able to achieve this with VirtualApp. In addition, it’s also protected by Bangcle to evade](https://github.com/asLody/VirtualApp) static analysis and detection. _Figure 6. ActionSpy’s icon (left) and appearance (right)_ _Figure 7. ActionSpy is protected by Bangcle_ A legitimate Ekran APK file is embedded in the ActionSpy assets directory, and installed in virtual environment after VirtualApp is ready when ActionSpy is launched the first time. ----- _Figure 8 and 9. Install real “Ekran” (above) and launch it (below)_ ActionSpy’s configuration, including its C&C server address, is encrypted by DES. The decryption key is generated in native code. This makes static analysis difficult for ActionSpy. Every 30 seconds, ActionSpy will collect basic device information like IMEI, phone number, manufacturer, battery status, etc., which it sends to the C&C server as a heartbeat request. The server may return some commands that will be performed on the compromised device. All the communication traffic between C&C and ActionSpy is encrypted by RSA and transferred via HTTP. ----- |Col1|Module Name Description location Get device location latitude and longitude geo Get geographic area like province, city, district, street address contacts Get contacts info calling Get call logs sms Get SMS messages nettrace Get browser bookmarks software Get installed APP info process Get running processes info wifi connect Make device connect to a specific Wi-Fi hotspot wifi disconnect Make the device disconnect to Wi-Fi wifi list Get all available Wi-Fi hotspots info dir Collect specific types of file list on SDCard, like txt, jpg, mp4, doc, xls… file Upload files from device to C&C server voice Record the environment camera Take photos with camera screen Take screenshot wechat Get the structure of WeChat directory wxfile Get files that received or sent from WeChat wxrecord Get chat logs of WeChat, QQ, WhatsApp, and Viber|Col3| |---|---|---| **Module Name** **Description** location Get device location latitude and longitude geo Get geographic area like province, city, district, street address contacts Get contacts info calling Get call logs sms Get SMS messages nettrace Get browser bookmarks software Get installed APP info process Get running processes info wifi connect Make device connect to a specific Wi-Fi hotspot wifi disconnect Make the device disconnect to Wi-Fi wifi list Get all available Wi-Fi hotspots info dir Collect specific types of file list on SDCard, like txt, jpg, mp4, doc, xls… file Upload files from device to C&C server voice Record the environment camera Take photos with camera screen Take screenshot wechat Get the structure of WeChat directory wxfile Get files that received or sent from WeChat wxrecord Get chat logs of WeChat, QQ, WhatsApp, and Viber **Abuse of Accessibility** Normally, a third-party app can’t access files belonging to others on Android. This makes it difficult for ActionSpy to steal chat log files from messaging apps like WeChat directly without root permission. ActionSpy, in turn, adopts an indirect approach: it prompts users to turn on its Accessibility service and claims that it is a memory garbage cleaning service. ----- _Figure 11. Prompt to turn on Accessibility_ Once the user enables the Accessibility service, ActionSpy will monitor Accessibility events on the device. This is occurs [when something “notable” happens in the user interface (such as clicked buttons, entered text, or changed views). When an](https://developer.android.com/reference/android/view/accessibility/AccessibilityEvent) [Accessibility Event is received, ActionSpy checks if the event type is VIEW_SCROLLED or](https://developer.android.com/reference/android/view/accessibility/AccessibilityEvent#TYPE_VIEW_SCROLLED) [WINDOW_CONTENT_CHANGED and then check if the events came from targeted apps like WeChat, QQ, WhatsApp, and](https://developer.android.com/reference/android/view/accessibility/AccessibilityEvent#TYPE_WINDOW_CONTENT_CHANGED) Viber. If all the above conditions are met, ActionSpy parses the current activity contents and extracts information like nicknames, chat contents, and chat time. All the chat information is formatted and stored into a local SQLite Database. Once a “wxrecord” command is pushed, ActionSpy will gather chat logs in the database and convert them into JSON format before sending it to its C&C server. _Figure 12. Code snippet of parsing chat information_ We believe ActionSpy has existed for at least three years, based on its certificate sign time (2017-07-10). We also sourced some old ActionSpy versions that were created in 2017. ----- _Figure 13. Certificate info_ _Figure 14. The earlier version (created in 2017)_ **More on Earth Empusa: Watering hole attacks to compromise iOS systems** Earth Empusa also employs watering hole attacks to compromise iOS devices. The group injected their malicious scripts on websites that their targets could potentially visit and load the injected script from it. We found two kinds of attacks they injected into compromised websites: One injection we found is the ScanBox framework. The framework can collect information from a website’s visitors by using JavaScript to record keypresses and harvest the profiles of the OS, browser, and browser plugins from the client environment. The framework is usually used during the reconnaissance stage, allowing them to understand their targets and prepare for the next stage of the attack. Another injection is their exploit chain framework, which exploits the vulnerabilities on the iOS devices. When a victim accesses the framework, it checks the User-Agent header of the HTTP request to determine the iOS version on the victim’s device and reply with a corresponding exploit code. If the User-Agent doesn’t belong to any of the targeted iOS versions, the framework will not deliver any additional payload. _Figure 15. An example of iOS exploit chain traffic_ In the first quarter of 2020, the exploit chain framework was upgraded to include a newer iOS exploit that can compromise ----- 5d3590 _Figure 16. The script for determining the iOS version and launching the exploit code_ We have observed these injections on multiple Uyghur-related sites since the start of 2020. In addition, we have also identified a news website and political party website in Turkey that have been compromised and injected with the same attack. In a more recent development, we found the same injection on a university website as well as a travel agency site based in Taiwan in March 2020. These developments have led as to believe that Earth Empusa is widening the scope of their targets. **Best practices and solutions** Earth Empusa is still very active in the wild. We are constantly tracking and monitoring the threat group as it continues to develop new ways to attack its targets. iOS users are advised to keep their devices updated. Android users, on the other hand, are encouraged to install apps only from trusted places such as Google Play to avoid malicious apps. [Users can also install security solutions, such as the Trend Micro™ Mobile Security for iOS and Trend Micro™ Mobile](https://www.trendmicro.com/en_us/forHome/products/mobile-security.html) [Security for Android™ (also available on Google Play) solutions, that can block malicious apps. End users can also benefit](https://play.google.com/store/apps/details?id=com.trendmicro.tmmspersonal) from their multilayered security capabilities that secure the device owner’s data and privacy, and features that protect them from ransomware, fraudulent websites, and identity theft. [For organizations, the Trend Micro™ Mobile Security for Enterprise suite provides device, compliance and application](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html) management, data protection, and configuration provisioning. The suite also protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps and detects and blocks malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability. **Indicators of C0mpromise** All of the malicious apps below are detected as AndroidOS_ActionSpy.HRX. **SHA256** **Package Name** **Label** 56a2562426e504f42ad9aa2bd53445d8e299935c817805b0d9b94315 com.omn.vvi Ekran 21769271 b6e2fdbf022cd009585f62a3de71464014edd58125eb7bc15c2c670d6d com.isyjv.klxblnwc.r 系统优化 5d3590 ----- 146ebe 146ebe 2117e2252fe268136a2833202d746d67bf592de819cc1600ac8d9f2738 com.isyjv.klxblnwc Service Runtime d8d4d6 Library 588b62a2e0bffa8935cd08ae46255a972b0af4966483967a3046a5df59 com.isyjv.klxblnwc Service Runtime d38406 Library d6478b4b7f0ea38947d894b1a87baf4bed7a1ece934fff9dfc233610de2 com.isyjv.klxblnwc Service Runtime 32814 Library 8d0a123e0fe91637fb41d9d9650a4b9c75b6ce77a2b51ac36f05a337da com.ecs.esap Service Runtime 7afd80 Library 9bc16f635fde4ff0b6b02b445a706d885779611b7813c5607ab88fdff43f com.cd.weixin VWechat cc2f 334dbd15289aaeaf3763f1702003de52ff709515246902f51ee87a4146 com.android.dmp.rec Recording 7a8e55 50c10ab93910a6e617c85a03f8c38a10a7c363e2d37b745964e696da8 com.android.dmp.rec Recording f98a93d 6575eeda2a8f76170fb6034944eeda5c88dac8009edccc880124fa729d com.android.dmp.l Location d3c1fd eff30f6cc2d5d04ce4aef0c50f1fb375fb817a803bf3e8e08c847f0465818 com.android.dmp.l Location 5ba a0a48d7e0762ab24b2ec3ec488b011db866992db5392926fe43dd3d1c com.android.dmp.cm Camera 398e30d 088769a80b39d0da26c676a5a52eaccdb805dc67cba85e562785c375 com.android.dmp.c Core c642b501 87306b59aaaba0ea92ea6a05feb9366eeb625e8da08ed3ef6c86a5cf3 com.android.dmp.c Core 94fada5 **Indicator** **Type** gotossl.ml Domain used by Earth Empusa goforssl.top Domain used by Earth Empusa geo2ipapi.org Domain used by Earth Empusa appbuliki.com Domain used by Earth Empusa umutyole.com Domain used by Earth Empusa t.freenunn.com Domain used by Earth Empusa ----- |Col1|static.apiforssl.com Domain used by Earth Empusa cdn.doublesclick.me Domain used by Earth Empusa static.doublesclick.info Domain used by Earth Empusa status.search-sslkey-flush.com Domain used by Earth Empusa http://114.215.41.93/ ActionSpy C&C URL http://static.doubles.click:8082/ ActionSpy C&C URL|Col3| |---|---|---| static.apiforssl.com Domain used by Earth Empusa cdn.doublesclick.me Domain used by Earth Empusa static.doublesclick.info Domain used by Earth Empusa status.search-sslkey-flush.com Domain used by Earth Empusa http://114.215.41.93/ ActionSpy C&C URL http://static.doubles.click:8082/ ActionSpy C&C URL MITRE ATT&CK #     #### Related Posts: **Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install** **Malware, Perform Mobile Ad Fraud** **[Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks](https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/)** **[Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links](https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/)** **[Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique](https://blog.trendmicro.com/trendlabs-security-intelligence/barcode-reader-apps-on-google-play-found-using-new-ad-fraud-technique/)** ----- Tags: [ActionSpy](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/actionspy/) [android](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/android/) [Earth Empusa](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/earth-empusa/) [Ekran](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/ekran/) [Uyghur](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/uyghur/) **0 Comments** **[TrendLabs](https://disqus.com/home/forums/trendlabs/)** [🔒 Disqus' Privacy Policy](https://help.disqus.com/customer/portal/articles/466259-privacy-policy) [1](https://disqus.com/home/inbox/) **Login**  Recommend t Tweet f Share **Sort by Best** ### Start the discussion… **LOG IN WITH** **OR SIGN UP WITH DISQUS** **?** Name Be the first to comment. ### ✉ Subscribe d Add Disqus to your site ⚠ Do Not Sell My Data ##### Security Predictions for 2020 Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats. [Read our security predictions for 2020.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2020) ##### Business Process Compromise ----- [more, read our Security 101: Business Process Compromise.](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise) [more, read our Security 101: Business Process Compromise.](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise) ##### Recent Posts [New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa](https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/) [Patch Tuesday: Fixes for LNK, SMB, and SharePoint Bugs](https://blog.trendmicro.com/trendlabs-security-intelligence/patch-tuesday-fixes-for-lnk-smb-and-sharepoint-bugs/) [New Tekya Ad Fraud Found on Google Play](https://blog.trendmicro.com/trendlabs-security-intelligence/new-tekya-ad-fraud-found-on-google-play/) [Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique](https://blog.trendmicro.com/trendlabs-security-intelligence/barcode-reader-apps-on-google-play-found-using-new-ad-fraud-technique/) [Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers](https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-devil-shadow-botnet-hidden-in-fake-zoom-installers/) ##### Popular Posts [Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique](https://blog.trendmicro.com/trendlabs-security-intelligence/barcode-reader-apps-on-google-play-found-using-new-ad-fraud-technique/) [QAKBOT Resurges: Despite Takedowns, Online Banking Threats Persist](https://blog.trendmicro.com/trendlabs-security-intelligence/despite-arrests-and-takedowns-online-banking-threats-persist/) [Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining](https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/) [Third-Generation QAKBOT: Repackaged with Improved Propagation](https://blog.trendmicro.com/trendlabs-security-intelligence/third-generation-qakbot-repackaged-with-improved-propagation/) [TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy](https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/) ##### Stay Updated Email Subscription Your email here Subscribe [HOME AND HOME OFFICE](http://www.trendmicro.com/us/home/index.html) | [FOR BUSINESS](http://www.trendmicro.com/us/business/index.html) | [SECURITY INTELLIGENCE](http://www.trendmicro.com/us/security-intelligence/index.html) | [ABOUT TREND MICRO](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣](http://www.trendmicro.com.au/au/home/index.html) [Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html) North America Region [(NABU): United States, Canada](http://www.trendmicro.com/us/index.html) [Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies](http://www.trendmicro.com/us/about-us/legal-policies/index.html) Copyright © 2020 Trend Micro Incorporated. All rights reserved. -----