North Korean hackers linked to Google Play spyware

Researchers tied three malicious Android apps in the Google Play store to an effort by North Korean hackers to target defectors and steal data from them, including personal photos, contacts and SMS messages.

Dubbed "RedDawn," the malware was discovered earlier this year by researchers at McAfee Labs and was described last week in a blog post by McAfee security researcher Jaewon Min. The researchers attributed the malware to a threat actor group of North Korean hackers they call "Sun Team," which was behind a similar malware campaign uncovered earlier this year.

Noting that the RedDawn malware was the second campaign McAfee researchers had seen so far from the Sun Team threat actor this year, Min wrote in the blog post that the new malware was uploaded to Google Play as "unreleased" software.

"Our findings indicate that the Sun Team is still actively trying to implant spyware on Korean victims' devices," Min wrote. "Once the malware is installed, it copies sensitive information, including personal photos, contacts and SMS messages and sends them to the threat actors."

The three Android apps included one called Food Ingredients Info and two security-related apps, Fast AppLock and AppLockFree. The malicious apps, which were removed by Google following McAfee's notification, collect personal and device information from users and then download additional files and executables from cloud service accounts controlled by Sun Team. The researchers discovered the North Korean hackers were using the stolen personal data for identity theft and creating false identities.

"The most concerning thing about this Sun Team operation is that they use photos uploaded on social network services and identities of South Koreans to create fake accounts," Min wrote. "We have found evidence that some people have had their identities stolen; more could follow. They are using texting and calling services to generate virtual phone numbers so they can sign up for South Korean online services."

McAfee was confident that Sun Team is composed of North Korean hackers, but the company stressed that this group is not tied to existing APT groups in the country. "We believe this is a new group and not linked to WannaCry," Irfan Asrar, senior manager malware threat research at McAfee, told SearchSecurity by email. "However, considering they are targeting North Korean defectors, I think their intentions are no less sinister than the people behind WannaCry."

Asrar also ruled out Sun Team being connected to the Lazarus Group: "The techniques and tactics used here are different to the point we think these are completely separate groups, even though they have similar motives."

McAfee did not see any public reports of infections by the spyware, and the campaign was stopped before it could progress very far. "We identified these malwares at an early stage; the number of infections is quite low compared with previous campaigns, about 100 infections from Google Play," Min wrote.

This round of spyware was detected in Google Play more quickly, according to Asrar, for two reasons: The group was already on McAfee's radar and because "campaigns like these are becoming more frequent and aggressive/bolder in their moves."