Weissblick - Fotolia
An investigation into a spyware campaign against North Korean defectors, journalists and groups or individuals that help them, has revealed that the attacks are highly targeted.
The investigation follows reports by South Korean media that unknown actors were using KakaoTalk, a popular chat app in South Korea, and other social network services such as Facebook to send links to install malware on victims’ devices.
The links appear to be for a heathcare app called Blood Assistant or an app called Pray for North Korea, but clicking the links results in spyware being installed on the victim’s device.
An identical dropper is used by both apps. McAfee has identified the spyware as Android/HiddenApp.BP.
The researchers found that in the case of the malicious links to Blood Assistant, Facebook was used in 12% of cases to send the link to its targets.
According to the researchers, the dropped Trojan uses popular cloud services Dropbox and Yandex as a control server to upload data and receive commands.
When the dropped Trojan is installed, it saves device information in a temporary folder and uploads it to the cloud, they said. It then downloads a file containing commands and other data to control the infected device.
Most of the malicious behaviours – such as saving contact information – are implemented inside a separate dex [Android executable] file named “core”, which is downloaded from the control server.
Read more about mobile malware
- With rising mobile penetration rates and weak cyber regulations in developing markets in the APAC region, smartphones are becoming more attractive to hackers as opposed to PCs.
- Mobile spyware infections offer all manner of personal information to attackers.
The researchers found that command file has its own format, and the handler for command code received from the cloud is implemented as a separate dex file and is downloaded either before or after the malware parses the command file.
This mechanism allows the attacker to easily extend its malicious functionality without needing to update the whole malware, the researchers said.
They believe the group behind this campaign is familiar with South Korean culture, TV shows, drama and the language because the account names associated with the cloud services are from Korean drama and TV shows.
The researchers were able to link the malware to a group called The Sun Team, which appears to have been active since 2016. This name is not related to any previously known cyber crime groups, the researchers said.
McAfee recommends keeping mobile security up to date, so that it will identify this and other new forms of mobile malware. It also recommends installing apps only from Google Play to reduce the risk of malware infection.