Download 418082 Mp4

The malware that infects the mobile devices is found to be associated with a sequence of iOS exploit chain attacks in the wild since 2016. In April 2020, we noticed a phishing page disguised as a download page of an Android video application that is popular in Tibet. The phishing page, which appears to have been copied from a third-party web store, may have been created by Earth Empusa. This is based on the fact that one of the malicious scripts injected on the page was hosted on a domain belonging to the group. Upon checking the Android application downloaded from the page, we found ActionSpy.

Download 418082 mp4

Upon continued investigation in late April 2020, we found another phishing page that appears to be copied from a third-party web store and injected with two scripts to load ScanBox and BeEF frameworks. This phishing page invites users to download a video app that is known to Tibetan Android users. We believe the page was created by Earth Empusa because the BeEF framework was running on a domain that reportedly belongs to the group. The download link was modified to an archive file that contains an Android application. Analysis then revealed that the application is an undocumented Android spyware we named ActionSpy. 041b061a72