The notorious North Korean hacking group Kimsuky has launched a new phishing campaign targeting Android users, employing QR codes to distribute a sophisticated piece of malware known as DocSwap. This campaign cleverly impersonates legitimate services, aiming to trick unsuspecting individuals into compromising their mobile devices.

Key Takeaways

• Kimsuky is using QR codes embedded in phishing sites to deliver the DocSwap Android malware.

• The malware mimics delivery service apps, specifically CJ Logistics, to gain user trust.

• It employs a multi-stage infection process, including decrypting an embedded APK and requesting extensive permissions.

• The campaign also includes credential harvesting sites impersonating popular South Korean platforms.

The DocSwap Malware Campaign

The Kimsuky group is leveraging QR codes presented on phishing websites to lure victims into downloading and installing the DocSwap malware onto their Android devices. These sites are designed to look like official portals of the South Korean logistics company CJ Logistics. The attackers use notification pop-ups and deceptive messages, claiming the app is a necessary security module due to "international customs security policies," to bypass Android's default security warnings against installing apps from unknown sources.

Infection and Capabilities

Upon a user scanning the QR code from a desktop or clicking a malicious link on their mobile device, they are prompted to download an APK file, often named "SecDelivery.apk." This initial APK decrypts an embedded, encrypted APK, which then launches the DocSwap malware. Before execution, the malware ensures it has obtained critical permissions, including access to external storage, the internet, and the ability to install additional packages. It then registers a malicious service that provides Remote Access Trojan (RAT) capabilities.

The malware further deceives users by presenting a fake OTP authentication screen, requiring a hard-coded shipment number (e.g., "742938128549"). After the user enters this number, the app generates a fake verification code and prompts the user to input it. Once this step is completed, the app opens a legitimate tracking URL in a WebView, while in the background, the trojan establishes a connection to an attacker-controlled server. From this server, it can receive and execute a wide array of commands, including keystroke logging, audio and camera recording, file operations, command execution, and the exfiltration of sensitive data such as location, SMS messages, contacts, call logs, and installed applications.

Broader Phishing Efforts

In addition to the DocSwap malware, Kimsuky's infrastructure includes phishing sites that mimic popular South Korean platforms like Naver and Kakao. These sites are designed to harvest user credentials and have shown overlap with previous Kimsuky campaigns targeting Naver users. The group has also been observed distributing other malicious samples, including one disguised as a P2B Airdrop app and a trojanized version of a legitimate VPN application called BYCOM VPN, which was available on the Google Play Store. This indicates a multi-pronged approach to compromise users and gather intelligence.

Sources

• Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App, The Hacker News.