Researchers warn that the Earth Empusa threat group is distributing the spyware by injecting code into fake and watering-hole pages.
Researchers have discovered a new Android spyware, dubbed ActionSpy, targeting victims across Tibet, Turkey and Taiwan. The spyware is distributed either via watering-hole websites or fake websites.
Researchers believe ActionSpy is being used in ongoing campaigns to target Uyghur victims. The Uyghurs, a Turkic minority ethnic group affiliated with Central and East Asia, have previously been targeted in spyware attacks. Though they first discovered the spyware in April 2020, researchers believe ActionSpy has existed for at least three years based on its certificate sign time.
“ActionSpy, which may have been around since 2017, is an Android spyware that allows the attacker to collect information from the compromised devices,” said researchers with Trend Micro in a Thursday analysis. “It also has a module designed for spying on instant messages… and collecting chat logs from four different instant messaging applications.”
Researchers discovered ActionSpy being spread via several pages in April 2020. How these pages were distributed in the wild – whether via phishing emails or otherwise – is also unclear, researchers said.
Some of these websites were actually fake. For instance, one page replicated news pages from the World Uyghur Congress website. Others were legitimate websites that had been compromised.
Researchers identified a news website and political party website in Turkey that were compromised and used in the attack, for instance, as well as on a university website and travel agency site based in Taiwan that were also compromised and used as watering-hole websites.