Home Malware Programs Spyware ActionSpy


Posted: June 12, 2020

ActionSpy is an Android spyware toolkit that was first analyzed thoroughly in June 202. However, cybersecurity researchers believe that it might have been used by its creators for at least three years. The threat seems to be utilized in targeted attacks, so it is unlikely to be very widespread – however, the groups and users targeted by ActionSpy are likely to be in a lot of danger since this spyware may take almost full control over their Android devices, and then use its powers to collect data or monitor the victim's activity.

Two of the most recent ActionSpy campaigns targeted users in Tibet exclusively, and the payload was delivered with the use of fake download pages that impersonated applications popular in Tibet. One of these applications is known as 'Ekran,' and it is one of the more popular mobile video players to be used by Tibetan users. The attackers created a fake page that impersonated Ekran's official download page and website and then included a link to a corrupted package that contained both the legitimate Ekran APK and ActionSpy spyware. Users who ended up running the threatening software may not notice anything out of the ordinary since the Ekran application will be installed and work correctly – however, the Android device will also be infected by ActionSpy spyware.

Once running, ActionSpy will connect to the Command and Control server that it has been configured to use. The attackers can send commands that will force the implant to perform certain actions, and, in the meantime, ActionSpy will transfer information about the infected device's hardware and software every 30 seconds.

ActionSpy supports a wide range of features, and its operators could perform the following tasks on the compromised Android phone:

  • Access the GPS sensor to gain the victim's approximate location
  • Access call logs, contacts and text messages
  • Collect browser bookmarks and history
  • Manage the device's WiFi connection
  • Collect files using specific file extensions
  • Use the camera to take photos or videos
  • Use the microphone or take a screenshot of the device's screen
  • Collect chat logs from Viber, QQ, WeChat and WhatsApp
  • Collect files that the victim received via WeChat.

ActionSpy is able to perform the aforementioned tasks if the user allows it to use accessibility services – a common trick that plenty of Android malware families use to gain escalated privileges.

ActionSpy spyware toolkit is certainly a very advanced project, and it could turn out to be very threatening if its operators opt to propagate it worldwide. For now, ActionSpy attacks are focused on Tibetan activists and organizations.