ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool ActionSpy

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: ActionSpy

NamesActionSpy
CategoryMalware
TypeReconnaissance, Backdoor, Info stealer, Exfiltration
Description(Trend Micro) This malware impersonates a legitimate Uyghur video app called Ekran. The malicious app has the same appearance and features as the original app. It is able to achieve this with VirtualApp. In addition, it’s also protected by Bangcle to evade static analysis and detection.

Every 30 seconds, ActionSpy will collect basic device information like IMEI, phone number, manufacturer, battery status, etc., which it sends to the C&C server as a heartbeat request. The server may return some commands that will be performed on the compromised device. All the communication traffic between C&C and ActionSpy is encrypted by RSA and transferred via HTTP.
Information<https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/apk.actionspy>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:actionspy>

Last change to this tool card: 23 April 2021

Download this tool card in JSON format

All groups using tool ActionSpy

ChangedNameCountryObserved

APT groups

 Poison Carp, Evil EyeChina2018-Mar 2021X

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key