The North Korea-based Kimsuky threat actor group has been spotted in a new cyberespionage campaign targeting users in South Korea. The campaign leverages three new Android malware to target Android devices.

About the newly found Android malware

  • As per the findings by S2W’s threat research and intelligence center, the three new malware are FastFire, FastViewer, and FastSpy. 
  • These malware are masquerading as APKs for three utility tools, developed by the hackers, that are available on Google Play Store.
  • While FastFire is disguised as a Google security plugin, the FastViewer malware is disguised as Hancom Office Viewer. 
  • FastSpy is distributed in the form of a remote access tool that is based on AndroSpy.
  • The FastFire malware is currently under development. It uses the Firebase app instead of HTTPS, to receive commands from C2 servers. 
  • Fast Viewer downloads additional malware, including FastSpy, after stealing information from an infected device.
  • The FastSpy malware enables its operators to intercept phone calls and SMSes, track users’ locations, harvest documents, collect keystrokes, and record information from the camera, microphone, and speaker. 
  • Both FastViewer and FastSpy abuse Android’s accessibility API permissions to execute their spying capabilities, with the latter automating user clicks to grant itself extensive permissions.

Key findings

  • S2W’s attribution of the malware to Kimsuky is based on overlaps with a server domain that was employed in a May 2022 campaign
  • Researchers also highlight that the attackers have been making various attempts to bypass detection by customizing Androspy.

Kimsuky’s persistent attacks on South Koreans 

  • The nefarious gang had launched a similar espionage attack against South Koreans in August. 
  • The attack, dubbed GoldDragon, had targeted South Korean think tanks, university professors, and government organizations. Additionally, it had infected entities in the U.S. and Europe. 
  • The infection chain involved a spear-phishing email that distributed a Windows infostealer to steal user keystrokes and web browser credentials. 

Bottom line

The prolific threat actor group from North Korea has been consistently evolving its TTPs and coming up with new techniques to evade detection and disrupt analysis. Since Kimsuky’s mobile targeting strategy is getting more advanced, users must be careful and check the reviews before downloading any application. Additionally, they must update the software and install anti-virus solutions on their devices.
Cyware Publisher