A North Korean hacking group has recently turned its attention to a digital gaming platform popular within the Korean ethnic enclave in China, employing a sophisticated strategy to infiltrate Android applications. This platform, known for hosting a variety of digital card and board games, has become a focal point for security researchers concerned about the potential surveillance of defectors from North Korea.
Surveillance Tactics Unveiled
Researchers from Eset uncovered this alarming campaign while investigating a suspicious Android app file on VirusTotal. Their analysis revealed that the app contained a backdoor, specifically an Android variant of a known backdoor linked to North Korea, referred to as BirdCall. The official website for the gaming platform, www.sqgame.net, was found to host the same APK file that had initially raised red flags on VirusTotal.
In addition to the first app, a second Android file associated with another game on the same website was also identified to contain the BirdCall backdoor. Eset researchers attributed this supply-chain attack to a threat actor known as ScarCruft, also recognized as APT37 or Reaper. This group has been active primarily in Asia, with some operations extending into Europe and the Middle East since late 2024.
It appears that the hackers did not gain access to the source code of the games themselves. Instead, they likely compromised the web server, allowing them to recompile the original APKs to embed the backdoor. The Android version of BirdCall implements a subset of commands and capabilities from its Windows counterpart, enabling it to collect a wide array of sensitive information. This includes contacts, SMS messages, call logs, documents, media files, and private keys. Furthermore, the backdoor possesses the capability to take screenshots and record audio from the device’s surroundings.
The malware cleverly disguises its command and control traffic among regular internet traffic, utilizing platforms such as pCloud, Yandex Disk, and Zoho WorkDrive as potential command and control servers. However, it appears that the hackers opted to primarily rely on Zoho WorkDrive for their operations.
