North Korea-linked hackers go after defectors using malware-loaded apps in Play Store

The Google Play store is no stranger to seemingly legitimate apps that host malware, but McAfee researchers have discovered something a bit different: three malicious applications that target specific individuals. The security group says a North Korea-linked group uploaded the apps, which were designed to infiltrate Android devices belonging to defectors from the country.

While the phrase "North Korean hackers" usually refers to the notorious Lazarus Group, in this instance the attacker is the Sun Team. It was behind a campaign called RedDawn, which saw malware-loaded apps added to the Play Store before attempts were made at convincing defectors to download the software.

The three apps appeared in Google's store between January and March this year. The first of these, called Food Ingredients Info, offered information on food, as one might imagine. The other two---Fast AppLock and Fast AppLockFree---were security tools. All three were able to steal the personal data of those who downloaded them, which could then be used to blackmail, threaten, or track victims; this information included a user's photos, contacts, call recordings, and SMS messages.

"After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks," writes McAfee's Jaewon Min.

"From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January. The logs had a similar format and used the same abbreviations for fields as in other Sun Team logs. Furthermore, the email addresses of the new malware's developer are identical to the earlier email addresses associated with the Sun Team."

The Sun Team tried to get North Korean defectors, of which there were over 30,000 in 2016, to download the apps by using a fake Facebook profile or sending direct private messages via the site. A chat app popular in South Korea called KakaoTalk was also used to send links to the targets.

The apps, which have now been removed, recorded around 100 downloads during their time on the Google Play Store. Two fake Facebook profiles set up by the Sun Team are reportedly still active.

Further evidence linking the attacks to North Korea included an IP address belonging to the country that was found in a test log file, along with the fact that the authors used Korean words "not in South Korean vocabulary." With North Korea threatening to halt its recent peace talks, we could see more attacks from the Sun Team in the future.