The North Korean state-linked risk group Kimsuky has expanded its assault strategies by distributing a harmful cellular malware by weaponized QR codes, concentrating on customers by refined phishing websites that imitate bundle supply providers.
Safety researchers found the malicious marketing campaign in September 2025, when victims acquired smishing messages with hyperlinks that redirected them to faux supply monitoring web sites internet hosting QR codes designed to trick customers into downloading contaminated Android purposes on their smartphones.
QR-based cellular redirection (Supply – Enki)
The malware represents the newest model of “DOCSWAP,” a risk first documented earlier in 2025.
This new variant reveals a number of enhancements over earlier variations, together with a brand new native decryption perform and extra assorted decoy behaviors.
Assault Move (Supply – Enki)
Enki analysts recognized the malicious utility being distributed from a command and management server situated at 27.102.137[.]181, the place it impersonated respectable providers like CJ Logistics, public sale platforms, VPN apps, and cryptocurrency airdrop authentication techniques to deceive victims.
When customers entry the phishing hyperlinks from a pc, they see a message stating “For safety causes, you can not view this web page from a PC” together with a QR code.
Scanning this code with a cellular gadget initiates the obtain of what seems to be a safety app. Nonetheless, accessing the identical hyperlink from an Android gadget straight shows faux safety scanning screens and prompts customers to put in a “safety app” to finish authentication.
The malicious utility makes use of Base64-encoded URLs and server-side logic that serves completely different content material based mostly on the consumer’s gadget kind, making detection tougher.
As soon as put in, the malware operates in a number of phases. The applying first requests in depth permissions together with file entry, cellphone, SMS, and placement knowledge.
The downloaded APK file, named “SecDelivery.apk,” incorporates an encrypted APK saved as “safety.dat” in its sources. Not like earlier variations that used Java-based XOR decryption, this variant employs a local library referred to as “libnative-lib.so” to decrypt the embedded APK.
The decryption course of includes three steps: inverting bits of every byte worth, making use of a 5-bit left rotation, and performing XOR operations with a 4-byte key (541161FE in hex).
An infection Mechanism and Persistence
The malware establishes persistence by a complicated service registration course of.
After decryption, the applying launches SplashActivity, which masses the encrypted sources, requests mandatory permissions, and registers a malicious service referred to as MainService.
To keep up steady operation, the malware configures intent filters that routinely execute MainService when the gadget reboots or connects to energy.
The AndroidManifest.xml file defines these triggers as “android.intent.motion.BOOT_COMPLETED,” “android.intent.motion.ACTION_POWER_CONNECTED,” and “android.intent.motion.ACTION_POWER_DISCONNECTED”.
The applying shows a convincing faux authentication display screen that asks customers to enter a supply monitoring quantity and verification code. The hardcoded supply quantity “742938128549” is included with the preliminary phishing message.
Pretend authentication display screen (Supply – Enki)
After authentication, the app reveals the official supply monitoring web site by a webview, making customers imagine they’ve put in a respectable utility whereas the malicious service operates silently within the background.
The embedded RAT helps 57 instructions that allow complete gadget management. It communicates with the command and management server utilizing a format that features size headers, null bytes, and Gzip-compressed payloads.
The command parsing logic makes use of “10249” as a delimiter, permitting the malware to carry out actions equivalent to audio and video recording, file administration, location monitoring, name log assortment, contact record theft, SMS interception, distant command execution, and dwell keylogging.
The keylogger operates by Android’s Accessibility Service, capturing app icons, bundle names, occasion textual content, and timestamps, that are then compressed and Base64-encoded earlier than transmission.
// Korean remark: “Go away log when button is clicked”
btn.addEventListener(“click on”, () => {
fetch(“downcat.php”, {
methodology: “POST”,
headers: { “Content material-Kind”: “utility/json” },
physique: JSON.stringify({
time: new Date().toISOString(),
url: decodedUrl
})
}).catch(err => console.error(“Log transmission failed:”, err));
});
Researchers found connections between this marketing campaign and former Kimsuky operations by shared infrastructure, together with the distinctive “Million OK !!!!” string discovered on the basis listing of command and management servers.
Korean-language feedback all through the HTML code and error messages present extra proof linking the exercise to North Korean risk actors.
The marketing campaign demonstrates Kimsuky’s continued evolution in cellular threats, concentrating on smartphones that include delicate monetary and private info.
Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most well-liked Supply in Google.
