Trend Micro researchers have found a new strain of Android spyware being used in a broader campaign against Chinese Uyghurs and the Chinese region of Tibet as well as Taiwan and Turkey.
The researchers, Ecular Xu and Joseph C. Chen, believe the Android spyware, which they named ActionSpy, has been active since 2017 and steals contacts, call logs, location, SMS text logs and instant-messaging chat logs.
It also takes screenshots and photos and records video. The spyware seems to be related to iPhone spyware deployed against Uyghurs that Google disclosed in 2019.
- The best Android antivirus apps: stay protected on your phone
- Best VPN: add an extra layer of security with a virtual private network
- Just in: Google Play Store kicks out 38 adware-infested Android apps
Xu and Chen warned that the spyware abuses Android Accessibility, the mobile OS's framework for users with hearing, vision or mobility impairments, so that the attackers can gain access to instant messages and chat logs from QQ, Viber, WeChat and Whatsapp.
“While tracking Earth Empusa, also known as POISON CARP/Evil Eye," Xu and Chen wrote, "we noticed a phishing page disguised as a download page of an Android video application that is popular in Tibet.”
As with the Uyghurs, the Tibetan minority in China has an active independence movement both in China and in exile. The Trend Micro researchers noted that Earth Empusa's use of phishing pages was similar to that of a different campaign discovered in March that was putting spyware on iPhones in Hong Kong.
"The phishing page, which appears to have been copied from a third-party web store, may have been created by Earth Empusa," they added. "Upon checking the Android application downloaded from the page, we found ActionSpy."
The attackers are presumably state-sponsored hackers working for the Chinese government, though Trend Micro is careful not to say so directly as attribution can never be certain.
Dangerous form of Android spyware
Through this phishing page, written in Uyghur using Arabic script, recipients are encouraged to download a video app well known in Tibet. But in reality, it’s a dangerous form of Android spyware.
The researchers said: “The download link was modified to an archive file that contains an Android application. Analysis then revealed that the application is an undocumented Android spyware we named ActionSpy.
“This malware impersonates a legitimate Uyghur video app called Ekran. The malicious app has the same appearance and features as the original app.”
Xu and Chen explained that the Android spyware collects basic device information like IMEI, phone number, manufacturer and battery status every 30 seconds, before sending it to a C&C server.
They warn: “ActionSpy, in turn, adopts an indirect approach: it prompts users to turn on its Accessibility service and claims that it is a memory garbage cleaning service.
“Once the user enables the Accessibility service, ActionSpy will monitor Accessibility events on the device.”
To avoid being infected by this or any form of Android spyware, make sure you're running one of the best Android antivirus apps. Another safety measure is to download apps only from the Google Play Store, but that's only partly accessible from the Chinese mainland.