North Korean defectors, journalists targeted through Google Play

Malware-laden Android apps aim to steal photos, contact lists, and sensitive information belonging to defectors and their supporters.
Written by Charlie Osborne, Contributing Writer on
File Photo

A new campaign designed to uncover and attack defectors from North Korea by exploiting Google Play has been uncovered.

According to McAfee researchers, the latest campaign, dubbed RedDawn, is targeting both North Korean defectors, those who aid them, and associated journalists.

A group called "Sun Team" is believed to be behind the latest attempt to spy on defectors.

The threat actors first emerged back in January when McAfee tracked their first campaign. Social engineering and messaging applications were used to select victims and infect their mobile devices with Trojans and spyware.

The malicious applications used in the past wave of attacks posed as "BloodAssistant," a healthcare service, and "Pray for North Korea."

In the new campaign, Sun Team -- so named based on email accounts and Android devices connected to previous attacks -- has developed three new mobile apps laden with malware.

The first application is translated as "Food Ingredients Info" and offers data on food items, while the other two, "Fast AppLock" and "AppLockFree," masquerade as security-related software.


Fast AppLock and AppLockFree connect to a cloud server to receive commands, including the download of payloads such as executable (.dex) files. The apps are also able to steal device-related data.

McAfee believes that AppLockFree, in particular, is part of a reconnaissance stage, especially as the app then attempts to lure the user to spread it further on social media, such as to Facebook contacts and friends.

Once a victim's device is infected with a malicious application, embedded malware then uses Dropbox and Yandex to upload information and issue commands -- the same technique used in the past by the threat actors.

The researchers uncovered information logs from these cloud storage sites which suggests the same test Android devices are also being used to develop these malicious apps.

Android devices used to test the malware's functionality have been manufactured in different countries. However, all of them carry installed Korean apps and use modified versions of publicly available sandbox escape, privilege escalation, and code execution exploits which bolt-on additional functionality to the RedDawn Trojans.

"The modified exploits suggest that the attackers are not skillful enough to find zero-days and write their own exploits," the researchers say. "However, it is likely just a matter of time before they start to exploit vulnerabilities."

An extensive investigation into the threat group's operations uncovered different versions of the malware, which appears to have become active back in 2017.


Furthermore, the email addresses used by the new malware's developers are identical to earlier addresses associated with Sun Team.

The malicious apps point to North Korean IP addresses but attempt to appear South Korean by naming systems based on popular celebrity names in the country. However, the awkward use of South Korean vocabulary suggests that while the operators are familiar with South Korea's culture, they are not native speakers.

Many elements of the RedDawn campaign are the same as the techniques employed in January. However, McAfee has also discovered a new and disturbing trend -- the use of stolen pictures.

Images taken from social networks are being used to create individual, fake South Korean accounts to spread the malware.

See also: Brutal cryptocurrency mining malware crashes your PC when discovered

There is also evidence that some of those who have had their pictures taken have also had their entire identities stolen. Text and calling services based on these stolen profiles are being used to sign up for South Korean online services, which may further propagate the malware.

"These elements are suggestive, though not a confirmation, of the nationality of the actors behind these malware campaigns," McAfee added.

The apps were uploaded to Google Play as "unreleased" versions. Following the cybersecurity firm's report, the mobile applications were only able to infect approximately 100 devices before being removed.

The best mobile gadgets, tech accessories for frequent fliers

Previous and related coverage

Editorial standards