Kimsuky’s New Tactic: Spreading DocSwap Android Malware via QR Code Phishing
The North Korean cyber espionage group known as Kimsuky has launched a sophisticated campaign distributing a new variant of Android malware, dubbed DocSwap, through QR code phishing schemes. This operation involves deceptive websites impersonating CJ Logistics, a prominent Seoul-based logistics company.
Deceptive Tactics and Malware Deployment
Kimsuky employs QR codes and misleading notifications to entice users into downloading and executing the malicious application on their Android devices. The malware decrypts an embedded, encrypted APK file and initiates a malicious service that grants remote access capabilities. To circumvent Android’s default security measures, which block installations from unknown sources and display warnings, the attackers falsely present the app as a legitimate, official release, persuading victims to disregard these alerts.
Phishing Methods and QR Code Exploitation
The attackers craft phishing emails and smishing texts that mimic communications from delivery companies, directing recipients to fraudulent URLs hosting the malicious apps. A notable aspect of this campaign is the use of QR codes for mobile redirection. When users access these URLs from a desktop, they are prompted to scan a QR code displayed on the page with their Android device. This action leads to the installation of a counterfeit shipment tracking app, purportedly to verify the status of a delivery.
The QR code directs users to a tracking.php script, which checks the browser’s User-Agent string and displays a message urging the installation of a security module. This module is falsely claimed to be necessary for identity verification due to alleged international customs security policies.
Malware Installation and Activation Process
Upon user compliance, an APK package named SecDelivery.apk is downloaded from the attacker’s server. This package decrypts and loads an embedded, encrypted APK to launch the new version of DocSwap. Before activation, the malware ensures it has obtained permissions to read and manage external storage, access the internet, and install additional packages.
Once permissions are granted, the malware registers its main service as ‘com.delivery.security.MainService’ and initiates an activity that mimics a one-time password (OTP) authentication screen. Users are prompted to enter a delivery number, hard-coded as 742938128549, likely provided during the initial phishing attempt. After entering this number, the app generates a random six-digit verification code, displays it as a notification, and prompts the user to input the code.
Upon entering the code, the app opens a WebView displaying the legitimate CJ Logistics tracking page. Simultaneously, in the background, the trojan connects to an attacker-controlled server and can receive up to 57 commands. These commands enable extensive surveillance and data exfiltration capabilities, including:
– Logging keystrokes
– Capturing audio
– Starting and stopping camera recordings
– Performing file operations
– Running arbitrary commands
– Uploading and downloading files
– Gathering location data
– Accessing SMS messages, contacts, call logs, and a list of installed applications
Additional Malicious Applications
Further analysis revealed two other malicious samples:
1. P2B Airdrop App: Disguised as a legitimate application related to cryptocurrency airdrops.
2. Trojanized BYCOM VPN: A compromised version of the legitimate BYCOM VPN app, available on the Google Play Store and developed by Bycom Solutions, an Indian IT services company.
These findings indicate that Kimsuky is expanding its attack vectors by repackaging legitimate applications with malicious code to infiltrate target devices.
Broader Implications and Recommendations
Kimsuky’s use of QR code phishing and the distribution of Android malware through deceptive applications underscore the evolving nature of cyber threats. Users are advised to exercise caution when scanning QR codes from untrusted sources and to be vigilant about installing applications, especially those prompting installations from outside official app stores.
Organizations should implement comprehensive security measures, including:
– Educating employees about phishing tactics
– Enforcing strict application installation policies
– Utilizing mobile device management (MDM) solutions to monitor and control device security
By staying informed about such sophisticated attack methods and adopting proactive security practices, individuals and organizations can better protect themselves against emerging cyber threats.
