ActionSpy

Description

(Trend Micro) This malware impersonates a legitimate Uyghur video app called Ekran. The malicious app has the same appearance and features as the original app. It is able to achieve this with VirtualApp. In addition, it’s also protected by Bangcle to evade static analysis and detection.

Every 30 seconds, ActionSpy will collect basic device information like IMEI, phone number, manufacturer, battery status, etc., which it sends to the C&C server as a heartbeat request. The server may return some commands that will be performed on the compromised device. All the communication traffic between C&C and ActionSpy is encrypted by RSA and transferred via HTTP.

Names

Name
ActionSpy
AxeSpy

Category

Malware

Type

• Reconnaissance
• Backdoor
• Info stealer
• Exfiltration

Information

• https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/apk.actionspy

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:actionspy

Other Information

Uuid

f1efe8d0-5fcc-4443-b2aa-cfe89f0ff366

Last Card Change

2022-12-28