Kimsuky Hackers Exploit QR Codes to Deploy Malicious Mobile Apps
In a recent development, the North Korean state-sponsored cyber group known as Kimsuky has escalated its cyberattack strategies by leveraging weaponized QR codes to distribute sophisticated mobile malware. This campaign primarily targets users through meticulously crafted phishing websites that mimic legitimate package delivery services, aiming to deceive individuals into downloading malicious Android applications onto their devices.
Discovery and Initial Findings
Security researchers uncovered this malicious operation in September 2025. Victims received smishing (SMS phishing) messages containing links that redirected them to counterfeit delivery tracking websites. These sites displayed QR codes designed to trick users into scanning them with their smartphones, leading to the download of infected applications.
Technical Analysis of the Malware
The malware disseminated through this campaign is an evolved version of DOCSWAP, a threat first identified earlier in 2025. This latest variant exhibits several enhancements over its predecessors, including a new native decryption function and more diverse decoy behaviors.
Distribution Mechanism
Enki analysts identified that the malicious application was distributed from a command and control server located at 27.102.137[.]181. The attackers employed various disguises, impersonating legitimate services such as CJ Logistics, auction platforms, VPN applications, and cryptocurrency airdrop authentication systems to deceive victims.
Infection Process
When users accessed the phishing links from a computer, they encountered a message stating, For security reasons, you cannot view this page from a PC, accompanied by a QR code. Scanning this code with a mobile device initiated the download of what appeared to be a security application. Conversely, accessing the same link directly from an Android device displayed fake security scanning screens, prompting users to install a security app to complete authentication.
Malware Functionality and Persistence
Once installed, the malware operates in multiple stages:
1. Permission Requests: The application requests extensive permissions, including access to files, phone functions, SMS, and location data.
2. Decryption Process: The downloaded APK file, named SecDelivery.apk, contains an encrypted APK stored as security.dat in its resources. Unlike previous versions that used Java-based XOR decryption, this variant employs a native library called libnative-lib.so to decrypt the embedded APK. The decryption process involves three steps:
– Inverting bits of each byte value.
– Applying a 5-bit left rotation.
– Performing XOR operations with a 4-byte key (541161FE in hex).
3. Service Registration: The malware establishes persistence through a sophisticated service registration process. After decryption, the application launches SplashActivity, which loads the encrypted resources, requests necessary permissions, and registers a malicious service called MainService.
4. Automatic Execution Triggers: To maintain continuous operation, the malware configures intent filters that automatically execute MainService when the device reboots or connects to power. The AndroidManifest.xml file defines these triggers as android.intent.action.BOOT_COMPLETED, android.intent.action.ACTION_POWER_CONNECTED, and android.intent.action.ACTION_POWER_DISCONNECTED.
5. User Deception: The application displays a convincing fake authentication screen that asks users to enter a delivery tracking number and verification code. The hardcoded delivery number 742938128549 is included with the initial phishing message. After authentication, the app shows the official delivery tracking website through a webview, making users believe they have installed a legitimate application while the malicious service operates silently in the background.
Broader Implications and Context
This campaign is part of a broader trend where Kimsuky employs innovative methods to infiltrate target systems. For instance, the group has previously utilized weaponized LNK files to deploy AppleSeed malware, a tactic that exploits Windows operating system vulnerabilities to gain unauthorized access and deliver malicious payloads. Additionally, Kimsuky has been known to use malicious browser extensions, such as TRANSLATEXT, to steal sensitive information from users’ email accounts.
Recommendations for Users
To protect against such sophisticated attacks, users are advised to:
– Exercise Caution with Unsolicited Messages: Be wary of unexpected messages containing links or QR codes, especially those claiming to be from delivery services or other trusted entities.
– Verify Sources: Before scanning QR codes or clicking on links, verify the authenticity of the sender through official channels.
– Install Applications from Trusted Sources: Only download and install applications from official app stores and trusted developers.
– Keep Software Updated: Regularly update your device’s operating system and applications to patch known vulnerabilities.
– Use Security Solutions: Employ reputable security software to detect and prevent malware infections.
By remaining vigilant and adopting these practices, users can significantly reduce the risk of falling victim to such advanced cyber threats.
