New Android Malware Campaign Unveiled
The notorious North Korean threat actor, Kimsuky, has emerged with a sophisticated new campaign that introduces a variant of Android malware known as DocSwap. This malware is being disseminated through QR codes that are hosted on phishing websites masquerading as the Seoul-based logistics company, CJ Logistics, previously known as CJ Korea Express.
According to cybersecurity firm ENKI, the attackers have ingeniously utilized QR codes and notification pop-ups to entice victims into downloading and executing the malware on their mobile devices. The malicious application decrypts an embedded APK and activates a malicious service that offers Remote Access Trojan (RAT) capabilities.
To navigate Android’s built-in security measures, which typically block installations from unknown sources and issue warnings, the threat actor presents the app as a legitimate and safe release. This tactic aims to mislead victims into disregarding security alerts and proceeding with the installation.
ENKI’s analysis reveals that some of the malicious artifacts are disguised as package delivery service applications. It is believed that the attackers are employing smishing texts or phishing emails that impersonate delivery companies, tricking recipients into clicking on compromised URLs that host the malicious apps.
A particularly notable feature of this attack is its reliance on QR code-based mobile redirection. Users who access the URLs from desktop computers are prompted to scan a QR code displayed on the webpage with their Android devices. This process is presented as a means to install a shipment tracking app to check the status of their deliveries.
Within the phishing page, a tracking PHP script assesses the User-Agent string of the browser and subsequently displays a message urging users to install a security module. This is framed as a requirement for verifying their identity in compliance with alleged “international customs security policies.”
Should a victim choose to install the app, an APK package named “SecDelivery.apk” is downloaded from a designated server. This APK then decrypts and loads an embedded encrypted APK to launch the new version of DocSwap. Before proceeding, it ensures that it has acquired the necessary permissions to read and manage external storage, access the internet, and install additional packages.
Once all permissions are confirmed, the application registers a service named ‘com.delivery.security.MainService.’ Concurrently, it launches an activity that masquerades as an OTP authentication screen, verifying the user’s identity through a delivery number hard-coded within the APK.
The delivery number, “742938128549,” is likely provided alongside the malicious URL during the initial access phase. Upon entering this number, the app generates a random six-digit verification code, which is displayed as a notification. Users are then prompted to input this code.
Upon successful entry, the app opens a legitimate URL for CJ Logistics while simultaneously connecting to an attacker-controlled server. This connection enables the malware to execute up to 57 commands, including logging keystrokes, capturing audio, initiating and halting camera recordings, performing file operations, and gathering sensitive information such as location data, SMS messages, contacts, call logs, and a list of installed applications.
In addition to the DocSwap variant, ENKI has identified two other samples disguised as a P2B Airdrop app and a trojanized version of a legitimate VPN application known as BYCOM VPN, which is available on the Google Play Store and developed by Bycom Solutions, an Indian IT services firm.
This development indicates that the threat actor has injected malicious functionalities into legitimate APKs, repackaging them for their nefarious purposes. Further investigations into the threat actor’s infrastructure have revealed phishing sites imitating popular South Korean platforms like Naver and Kakao, aimed at capturing user credentials. These sites have shown connections to a previous Kimsuky credential harvesting campaign targeting Naver users.
ENKI notes that the executed malware launches a RAT service, exhibiting capabilities similar to past incidents while also demonstrating advancements, such as employing a new native function for decrypting the internal APK and incorporating various decoy behaviors.
