Earth Empusa threat group distributing Android 'ActionSpy' spyware to target minority group in Tibet and Turkey

ActionSpy supports numerous modules which enable hackers to collect confidential information from compromised devices, including device IMEI, user phone number and contacts

Researchers from cybersecurity firm Trend Micro claim to have identified a new type of Android spyware that is being used by the Earth Empusa threat group to collect sensitive information from the members of Uighur ethnic group across Tibet, Turkey and Taiwan.

The researchers said they first spotted this previously undocumented piece of malware, dubbed ActionSpy, in April 2020, although its certificate sign time suggests that it first appeared at least three years back in 2017.

"During the first quarter of 2020, we observed Earth Empusa ' s activity targeting users in Tibet and Turkey before they extended their scope to include Taiwan," the researchers stated in a new report.

Earth Empusa, also known as Evil Eye or Poison Carp, is a hacking group with suspected links to China. The group has a history of targeting members of Tibetan groups. Between November 2018 and May 2019, Earth Empusa sent malicious links in individually tailored WhatsApp text exchanges to senior members of Tibetan groups, with the attackers posing as NGO workers and journalists.

China is implementing a major crackdown on Uighers in Xinjiang province.

According to researchers, members of Earth Empusa are currently distributing the ActionSpy by injecting code into either fake or watering-hole pages. The researchers said they found a fake website impersonating news pages from the World Uighur Congress website to distribute spyware. Some legitimate but compromised websites were also used by hackers to target victims.

In April, a website was discovered that offered users to download a Uighur video app called Ekran, which is highly popular among Tibetan Android users. In reality, hackers had injected the page of the website with two scripts that enabled them to deploy the cross-site scripting Browser Exploitation Framework (BeEF) as well as the ScanBox framework on a target device.

ScanBox enables hackers to collect information about the visitor ' s system without infecting the system, while BeEF is a penetration testing tool that focuses on the web browser.

ActionSpy supports numerous modules which enable hackers to collect confidential information from compromised devices, including device IMEI, user phone number and contacts.

One of its modules can collect contact information, call logs, device location and SMS messages from the device. Another module allows hackers to collect chat logs from different instant messaging apps. The spyware can also capture screenshots, take photos with the camera and make a device connect to or disconnect from Wi-Fi.

The researchers warn that the spyware prompts "users to turn on its Accessibility service" while claiming to be a memory garbage cleaning service.

"Once the user enables the Accessibility service, ActionSpy will monitor Accessibility events on the device," they say.

To mitigate the risk, users are advised to keep their devices updated and to install apps only from trusted repositories, such as Google Play Store or App Store.