North Korea Targeting Defectors with Android Malware Attacks

North Korea Targeting Defectors with Android Malware Attacks

With most malware campaigns, the goal is to infect as many people as possible. That’s not the case with the latest attack uncovered by researchers at McAfee. The company’s mobile research team reports that North Korea has been caught tinkering with Android malware again, but this time it’s using both Facebook and Google Play to target North Korean defectors living in South Korea.

According to McAfee, North Korea’s Sun Team hackers perpetrated the attack over the last several months. They likely infected around 100 targets, which isn’t a huge number compared with most malware campaigns. However, these were all highly targeted infiltrations to gather intelligence on political opponents. There are currently around 30,000 North Korean defectors living in the south.

The hackers used Facebook to distribute links to the malicious apps, focusing on populations and individuals who would have information about defectors. They created convincing fake profiles, often using images stolen from South Korean users as profile photos. Their posts asked the targets to download and test some Android apps hosted in the Play Store. These apps, however, were not what they appeared.

McAfee researchers found three apps uploaded by Sun Team hackers: 음식궁합 (Food Ingredients Info), Fast AppLock, and AppLockFree. All three were listed as “unreleased” in the Play Store, which kept them from garnering unwanted attention. The hackers only wanted to send specific targets to the listings. Upon installation, the apps would ask for access to contacts, SMS data, and local files before sending it all to the malware operators. This data could lead to more targets for future malware attacks, including both defectors and those who help them escape North Korea. McAfee tied the apps together as part of a single attack from the use of identical developer accounts, emails, and IP addresses.

North Korea Targeting Defectors with Android Malware Attacks

Luckily, McAfee believes Sun Team to be low on technical skill. The malware attempts to gain control of the target devices, but it uses publicly available sandbox escape, privilege escalation, and code execution exploits. Most devices are patched to block these attacks. So, McAfee suggests Sun Team doesn’t have the technical skill at this time to find new zero-day attacks on Android.

The researchers alerted Google and Facebook to the operation. Google has removed the malicious unreleased apps from the Play Store, and Facebook nuked the fake accounts. McAfee recommends users avoid installing apps that are unreleased or obscure to make sure they aren’t being phished.

Continue reading

Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal
Malware Masquerading as Android 2FA App Infected 10,000 Phones Before Removal

Known simply as 2FA Authenticator, the app picked up more than 10,000 installs until security researchers identified it as a vehicle for trojan-dropper malware.

Clever Malware Masquerades as Windows 11 Installer
Clever Malware Masquerades as Windows 11 Installer

A Russian website disguised as an official Microsoft page is distributing an "upgrade installer" that won't get you Windows 11. What it will get you is a bunch of malware.

Researchers Devise Malware That Runs When an iPhone is Powered Off
Researchers Devise Malware That Runs When an iPhone is Powered Off

The iPhone's low-power mode allows users to access Express cards and locate lost devices even when the phone is turned off—but it also presents a concerning security vulnerability.

Google Warns of Sophisticated Malware Distributed With The Help of ISPs
Google Warns of Sophisticated Malware Distributed With The Help of ISPs

According to Google's Threat Analysis Group (TAG), this spyware was developed by an Italian company called RCS Labs. The firm claims to be on the right side of the law, but that doesn't change the fact its software is being used to breach user privacy.