APT37 Delivers Android Backdoor BirdCall in Supply-Chain Attack
The North Korean hacker group APT37, also known as ScarCruft and Ricochet Chollima, has been making headlines for delivering an Android version of the notorious backdoor called BirdCall in a supply-chain attack through a video game platform.
Development of BirdCall for Android
While BirdCall is a well-known backdoor for Windows systems, APT37 has taken it a step further by developing a variant for Android that not only serves as a backdoor but also doubles as spyware. According to cybersecurity researchers at ESET, the threat actor created the Android version of BirdCall around October 2024 and has since developed at least seven different versions.
The attacks observed by ESET involved the delivery of the malware through sqgame[.]net, a Chinese website that hosts games for Android, iOS, and Windows. However, it was found that only Android and Windows systems were the targets of the ScarCruft attacks.
The platform in question caters to Koreans in the autonomous Yanbian region in China, which serves as a crossing point for North Korean defectors and refugees.
BirdCall Spyware Capabilities
BirdCall is a malware family associated with ScarCruft and has been documented since 2021. The Windows version of BirdCall is known for its ability to record keystrokes, take screenshots, steal from the clipboard, exfiltrate files, and execute commands.
The campaign identified by ESET introduced a previously undocumented version of BirdCall developed specifically for Android. This version was delivered by trojanizing APKs on the compromised platform.
The Android variant of BirdCall comes with a range of capabilities, including extracting IP geolocation information, collecting contact lists, call logs, and SMS data, as well as device information such as OS, kernel, rooted status, IMEI number, MAC address, IP address, and network information. It also sends information to a command-and-control server about battery temperature, RAM, storage, backdoor version, and specific file extensions of interest.
Other capabilities of the Android variant include taking periodic screenshots, recording audio via the microphone during specific hours, playing a silent MP3 in a loop to prevent suspension, and exfiltrating files from a specified directory.
Despite its extensive capabilities, the Android version of BirdCall does not feature all the commands present in the Windows version. Missing capabilities on Android include shell command execution, traffic proxying, targeting data from browsers and messenger apps, file deletion and dropping, and process killing.
To protect against malware infections, users are strongly advised to download software only from official marketplaces and trusted publisher sites.
