Trend Micro researchers have discovered a new strain of Android spyware being used in a widespread campaign against Taiwan and Turkey, as well as the Uyghur and Tibetan Chinese regions.

Researchers Ecular Xu and Joseph C. Chen say this Android spyware, which they named ActionSpy, has been active since 2017, stealing contacts, call logs, location data, SMS text logs, and instant messaging chat logs The company believes that.

It also takes screenshots and photos and records videos. The spyware appears to be related to the iPhone spyware Google released in 2019 that was deployed against Uyghurs.

Xu and Chen note that because the spyware exploits Android Accessibility, a mobile OS framework for users with hearing, vision, or mobility impairments, attackers can use QQ, Viber, WeChat, and Whatsapp's instant They warn that they can access messages and chat logs.

"While tracking Earth Empusa, also known as POISON CARP/Evil Eye, we noticed a phishing page posing as a download page for a popular Android video application in Tibet," Xu and Chen write.

Like the Uyghurs, the Tibetan minority in China has an active independence movement both within China and in exile. Trend Micro researchers noted that Earth Empusa's use of phishing pages is similar to another campaign discovered in March that planted spyware on iPhones in Hong Kong.

"The phishing page, which appears to have been copied from a third-party web store, may have been created by Earth Empusa. We checked Android applications downloaded from this page and found ActionSpy."

The attacker is likely a state-sponsored hacker working for the Chinese government, but Trend Micro cautions against saying so directly, as attribution is never certain.

The phishing page is written in Uighur with Arabic script, and the recipient is prompted to download a well-known Tibetan video app. In reality, however, it is dangerous Android spyware.

The researcher says: "The download link was modified into an archive file containing an Android application. Upon analysis, this application turned out to be an undocumented Android spyware that we named ActionSpy.

"This malware impersonates a legitimate Uighur video app called Ekran. This rogue app has the same look and functionality as the original app.

Xu and Chen explain that this Android spyware collects basic device information such as IMEI, phone number, manufacturer, and battery status every 30 seconds and sends it to a C&C server.

They warn: "ActionSpy employs an indirect approach, urging users to turn on accessibility services, claiming it is a memory garbage cleaning service.

Once the user turns on the accessibility service, ActionSpy monitors the accessibility events on the device.

To avoid being infected with this spyware or any form of Android spyware, make sure you are running one of the best Android antivirus apps. Another safety measure is to download apps only from the Google Play store, which is only partially accessible from mainland China.