Android trojan targets North Korean defectors and their supporters

Chat apps and common cloud file-sharing software are being used in cyber-espionage attacks that target individuals involved with aiding North Korean defectors.
Written by Danny Palmer, Senior Writer on

Video: Winter Olympics: Let the Games - and malware attacks - begin

North Korean defectors, along with those who help them, are being targeted by a hacking operation which aims to infect their devices with trojan malware for the purposes of spying on them.

The campaign apparently selects victims carefully, using social networks and chat applications to directly interact with the targets in South Korea and plant spyware onto their smartphones.

Researchers at McAfee have attributed the attacks to an operation they've dubbed Sun Team, named after deleted files used to help carry out the attacks. The group isn't currently thought to have any links to any previously known cybercrime outfits.

The Sun Team attacks used applications including KakaoTalk -- a popular chat app in South Korea -- and other social media services including Facebook to aid efforts to distribute trojan malware to victims' Android devices.

Analysis of the malicious APK files used in the attacks reveals that shortened URLs are used in an effort to distribute the malware. Two different lures were used in the campaign: one posed as 'BloodAssistant', a healthcare app, while another was titled 'Pray for North Korea' when translated to English. In some cases, the attackers used Facebook to attempt to deliver BloodAssistant.


The Sun Team malware dropper in action.

Image: McAfee

If successful in being dropped onto a device, the malware first checks to see if the phone is already infected. If it isn't, the attackers use a phishing attack to trick the victim into turning on the accessibility settings they require to gain full control of the infected device.

In an attempt to hide the how the accessibility settings are being tampered with, the malware opens an overlay -- often a video -- on top of the display to act as a distraction. The overlay is immediately removed once the malicious payload has been dropped.

Once successfully installed on the target device, the trojan uses cloud services including Dropbox, Google, and Yandex as a control server, as well as a hub for uploading stolen data and receiving commands.

See also: What is phishing? Everything you need to know to protect yourself from scam emails and more

Data stolen from the device is saved into a temporary folder before being uploaded to the cloud, which also directs instructions to carry out malicious activities including saving messages and information about contacts. The references to 'Sun Team' within this folder led researchers to christen the hacking operation with its name.

Not much is known about the mysterious group behind the attacks, but researchers at McAfee have speculated that it must be very familiar with the Korean language and South Korean culture, because names of the account names associated with attackers' cloud accounts are from Korean television -- including the name of soap characters and reality show contestants.

Researchers also note that one word found associated with the attackers -- 'blood type' -- is used in a way associated with North Korean spelling, rather than the South Korean equivalent. North Korean IP test log files were also discovered on some Android accounts used to spread the malware.

However, McAfee notes that this isn't enough to draw any conclusions about the location of the attackers because "wi-fi was on so we cannot exclude the possibility that the IP address is private".

Download now: IT leader's guide to reducing insider security threats (free PDF)

As a result, researchers say they can't confirm who is behind the campaign, other than that they're "familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors".

While the Sun Team operation is highly targeted, with North Korean defectors and their associates in mind, McAfee researcher Jaewon Min recommends all Android users follow best practice in order to avoid falling victim to attacks.

"Always keep your mobile security application updated to the latest version, and never install applications from unverified sources. We recommend installing KakaoTalk only from Google Play. These habits will reduce the risk of infection by malware," he said.

Related coverage

Trojan malware attacks by North Korean hackers are attempting to steal Bitcoin

Researchers at Secureworks say trojan malware is being distributed in phishing emails using the lure of a fake job advert.

Ransomware attack may have a North Korean link, say security researchers

Could the hackers thought to be behind the 2014 Sony Pictures breach be responsible for the WannaCry ransomware?


Editorial standards