ActionSpy Description

ActionSpy is the name of a spyware toolkit, which targets Android devices exclusively. Malware experts first researched the activity of ActionSpy properly in June 2020. According to researchers, ActionSpy may have been active for over three years. It would appear that the ActionSpy campaigns did not go after users en masse; instead, the attacks targeted specific individuals. This means that the ActionSpy campaigns did not mass distribute malware, so it is likely that not many users have been affected. Despite the low infection rate, ActionSpy should not be underestimated as the spyware is capable of taking almost complete control of the targeted Android devices.

In two of the latest ActionSpy operations, the targets were Tibetian individuals. The infection vector utilized in these campaigns was bogus downloads pages, which disguised themselves as popular applications among users in the Tibetan region. One of the applications is a mobile video player service called Ekran, which is one of the most popular applications of this type in Tibet. The operators of the ActionSpy campaign set up bogus websites, which would appear legitimate to inexperienced users. The sites in question would contain a download link, which, when clicked, would download the corrupted payload of the spyware on the user’s device, alongside a functional copy of the Ekran application. In this situation, the users may not even realize that something has gone wrong, as they would achieve the expected outcome, which is a working Ekran application.

When ActionSpy has compromised the targeted Android device, it will connect to the C&C (Command & Control) server of the attackers immediately. ActionSpy would receive commands and orders from the C&C of its operators. Once ActionSpy is active on the host, it will send data regarding the software and hardware of the device to the C&C server twice every minute. Upon compromising a device, ActionSpy will ask the user to permit it to use the accessibility features. If the user grants the permission, ActionSpy would be able to:

  • Record audio via the microphone of the compromised device.
  • Record video and take photos via the camera of the compromised device.
  • Take screenshots of the device.
  • Manage the WiFi connection of the device.
  • Obtain the browsing history and the bookmarks from the user’s Web browser.
  • Use the GPS service to locate the victim.
  • Get access to the device’s call logs, text messages and contacts list.
  • Locate and collect files based on their filetype.
  • Collect files, which were received via the WeChat application.
  • Collect conversations from WeChat, Viber, WhatsApp and QQ.

ActionSpy is a high-end project that is fully capable of carrying out complex reconnaissance operations. Despite the fact that the ActionSpy campaigns are mainly concentrated in Tibet, it is likely that we will see this project used against other targets in the future.