ActionSpy
ActionSpy is an Android spyware family documented by Trend Micro and detected as AndroidOS_ActionSpy.HRX. It has been attributed to the China-aligned threat actor Earth Empusa, also known as Evil Eye and POISON CARP. Reporting links its use to campaigns targeting Uyghur-related victims and users in Tibet, Turkey, and later Taiwan, with broader targeting of activists, journalists, and dissidents, predominantly Uyghurs from Xinjiang living abroad. Facebook also reported ActionSpy as one of two Android malware families, alongside PluginPhantom, distributed in a China-linked cyber-espionage operation aligned with Earth Empusa/Evil Eye.
ActionSpy was delivered through phishing and social-engineering infrastructure, including trojanized Uyghur-themed Android applications and fake third-party app-store pages. Trend Micro reported a phishing page disguised as a download page for a popular Android video application in Tibet that delivered ActionSpy. The malware impersonated the legitimate Uyghur video app Ekran and used VirtualApp to run an embedded legitimate Ekran APK inside a virtual environment so the app retained expected appearance and functionality. Facebook separately reported websites mimicking third-party Android app stores that offered trojanized Uyghur-themed apps such as a keyboard app, prayer app, and dictionary app carrying ActionSpy or PluginPhantom.
Technically, ActionSpy is an Android surveillance implant protected with Bangcle to hinder static analysis and detection. It stores configuration data, including its command-and-control address, encrypted with DES, with the decryption key generated in native code. It communicates with C2 servers over HTTP using RSA-encrypted traffic and sends heartbeat requests every 30 seconds containing device information including IMEI, phone number, manufacturer, and battery status.
Its surveillance capabilities include collection of location and geographic area data, contacts, call logs, SMS messages, browser bookmarks, installed applications, running processes, file listings, file upload, audio recording, camera capture, screenshots, Wi-Fi control, WeChat directory access, WeChat file theft, and chat-log theft. A notable feature is abuse of Android Accessibility services: ActionSpy poses as a memory garbage cleaning service to induce the user to enable Accessibility, then monitors VIEW_SCROLLED and WINDOW_CONTENT_CHANGED events from WeChat, QQ, WhatsApp, and Viber. It parses nicknames, chat contents, and chat times from those apps, stores them in a local SQLite database, and on receipt of the wxrecord command converts the logs to JSON and exfiltrates them to C2.
Trend Micro assessed that ActionSpy may have existed since at least 2017 based on certificate signing time and older samples. Known indicators directly mentioned in the reporting include MD5 sample hash 9bc5fec740bdb4d93f2da9b2db75dc3f and domains hosting ActionSpy malware such as gotossl[.]ml, geo2ipapi[.]org, and anayurt[.]net.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
While tracking Earth Empura, also known as POISON CARP/Evil Eye, we identified an undocumented Android spyware we have named ActionSpy (detected by Trend Micro as AndroidOS_ActionSpy.HRX).
While tracking Earth Empura, also known as POISON CARP/Evil Eye, we identified an undocumented Android spyware we have named ActionSpy (detected by Trend Micro as AndroidOS_ActionSpy.HRX).
While tracking Earth Empura, also known as POISON CARP/Evil Eye, we identified an undocumented Android spyware we have named ActionSpy (detected by Trend Micro as AndroidOS_ActionSpy.HRX).
"...trojanized ... applications... with two Android malware strains — ActionSpy or PluginPhantom."
"...trojanized ... applications... with two Android malware strains — ActionSpy or PluginPhantom."
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueResource Development
1 technique“set up malicious websites that used look-alike domains for popular Uyghur and Turkish news sites.”
Initial Access
3 techniquesEarth Empusa also employs watering hole attacks to compromise iOS devices. The group injected their malicious scripts on websites that their targets could potentially visit and load the injected script from it.
This group is known to use watering hole attacks, but we recently observed them using phishing attacks to deliver their malware.
Earth Empusa also used social engineering lures to trick its targets into visiting the phishing pages.
Privilege Escalation
1 techniqueActionSpy, in turn, adopts an indirect approach: it prompts users to turn on its Accessibility service and claims that it is a memory garbage cleaning service.
Stealth
2 techniquesIn addition, it’s also protected by Bangcle to evade static analysis and detection. ActionSpy’s configuration, including its C&C server address, is encrypted by DES. The decryption key is generated in native code.
This malware impersonates a legitimate Uyghur video app called Ekran. The malicious app has the same appearance and features as the original app.
Discovery
5 techniquesEvery 30 seconds, ActionSpy will collect basic device information like IMEI, phone number, manufacturer, battery status, etc., which it sends to the C&C server as a heartbeat request.
dir Collect specific types of file list on SDCard, like txt, jpg, mp4, doc, xls...
location Get device location latitude and longitude; geo Get geographic area like province, city, district, street address
Collection
5 techniquesIf all the above conditions are met, ActionSpy parses the current activity contents and extracts information like nicknames, chat contents, and chat time.
Command and Control
1 techniqueAll the communication traffic between C&C and ActionSpy is encrypted by RSA and transferred via HTTP.
IOCs tracked for this family
36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android-targeted spyware/malware family attributed in prior reporting to POISON CARP, referenced here for attribution context (links to Chinese development companies).
Android malware embedded in trojanized Uyghur-themed apps distributed via fake third-party app stores to enable surveillance of targeted users.
Android spyware used by Earth Empusa that impersonates the legitimate Uyghur video app Ekran, collects device information, contacts, SMS, call logs, files, location, screenshots, audio, camera images, and abuses Android Accessibility to harvest chat logs from WeChat, QQ, WhatsApp, and Viber. It communicates with C2 over HTTP using RSA-encrypted traffic and stores configuration encrypted with DES.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.