⚠️ Overview

ActionSpy is a mobile spyware targeting Android devices, first publicly documented by Kaspersky in August 2018 and attributed to the North Korean state-sponsored Lazarus Group (also tracked as HIDDEN COBRA). It is classified as a Remote Access Trojan (RAT) designed for covert surveillance and data exfiltration via malicious Android applications.

🔧 Technical Capabilities

ActionSpy abuses Android permissions to collect contacts, SMS messages, call logs, geolocation data, device information, audio recordings, and photos, sending them to a command-and-control (C2) server over encrypted HTTPS. It achieves persistence by registering as a device administrator and hiding its icon from the launcher. Evasion techniques include obfuscated code, dynamic permission requests, and checks for rooted devices or emulator environments. Propagation relies on social engineering: victims are tricked into sideloading fake apps disguised as Samsung keyboard updates, system utilities, or messaging clients. The malware uses a custom encryption scheme and communicates with C2 servers via HTTP POST requests, often mimicking legitimate services like Google Analytics to blend in.

📜 History & Notable Incidents

First observed in 2018, ActionSpy was used in targeted campaigns against North Korean defectors, human rights activists, and journalists in South Korea. In 2021, a variant was linked to the Lazarus subgroup BlueNoroff targeting cryptocurrency executives via fake job offers. No common vulnerabilities and exposures (CVEs) are directly exploited; the malware relies on user-installed applications outside official stores.

🔍 Detection Indicators

Indicators include package names such as com.android.systemupdate and com.samsung.android.update; file hashes (SHA-256) listed in Kaspersky’s threat intelligence portal; network IOCs featuring C2 domains ending in .xyz or .tk; and registry keys under /data/data/ containing encrypted configuration files. Behavioral detection includes unusual SMS forwarding, excessive permission requests, and outbound HTTPS traffic to anomalous IP ranges associated with North Korean infrastructure.

☠️ Risk & Impact

ActionSpy poses severe privacy and espionage risks, enabling persistent surveillance of victims’ communications, locations, and contacts. It primarily targets individuals in human rights and financial sectors, with potential for large-scale credential harvesting and corporate espionage. Financial losses stem from follow-on phishing attacks and cryptocurrency theft, notably in the 2021 BlueNoroff campaign.

🛡️ Mitigation

Mitigation relies on user education to avoid sideloading apps, enforcing strict app permission policies, and deploying mobile threat defense solutions like Kaspersky Mobile Security or CrowdStrike Falcon for Mobile that detect ActionSpy signatures. No specific patch exists; regular monitoring of device administrator lists and outbound network traffic is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.