Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

North Korea Disguising Android Malware as Legitimate Apps

North Korean hackers may be targeting Android users south of the demilitarized zone with malware including one variant disguised as a Google security plug-in.

See Also: Enabling Government for Modernized IT

Seoul-based cybersecurity company S2W says it spotted three Android malware apps, dubbed FastFire, FastSpy and FastViewer, by studying a a server domain used by North Korean hackers in the past.

FastFire masqurades as the Google security plugin and, as of S2W's publication of its blog post last week, had yet to be flagged as malicious by in a VirusTotal malware test. FastViewer disguises itself as Hancom Office Viewer and FastSpy is a remote access tool based on AndroSpy.

The malware comes from state-sponsored group Kimsuky, also known as Thallium, Black Banshee and Velvet Chollima. Kimsuky has been active since 2012 and charged by Pyongyang with intelligence collection on foreign policy and national security issues related to the Korean peninsula. The U.S. government warned in 2020 that Kimsuky has also been active in the United States and Japan.

The group takes over accounts through spearphishing attacks. It also sends out phishing messages purportedly from Naver and Daum, two popular South Korean news service portals.

S2W says FastFire appears to be in development. Unlike typical command-and-control apps that send messages through HTTP, it communicates to infected devices through Firebase, an app development platform backed by Google. The cybersecurity company assess that FastFire is still under development since the process for downloading additional malicious code is not properly implemented.

Specifically, FastFire executes what Android developers know as a "deep link" - a URL that opens a specific page in the app. It's the deep link calling function that's not yet perfected, S2W says.

Once installed, FastFire hides its launcher icon so that the victim does not know that it is installed.

FastViewer is a mobile remote access Trojan disguising itself as a popular app used for viewing documents with file extensions from the Microsoft or Hancom word processors. Hancom's South Korean-developed Hangul-brand word processor remains relatively prevalent in South Korea due to its early support for the Korean alphabet.

FastViewer normally performs as a document viewer, but when it reads a file crafted by attackers, it transmits device information to the command and control server. It then downloads FastSpy, a remote access tool based on AndroSpy, whose code was open sourced.

Researchers FastSpy "could abuse" accessibility functions built into Android by automatically clicking a pop up window requesting user authorization for additional permissions. S2W says it didn't see that functionality in the version it analyzed.

The app is capable of taking control of infected smartphones. S2W advises users to be on guard about phishing pages and "not to download a viewer program and document files from third parties and anyone."