Dec 18, 2025Ravie LakshmananMalware / Cellular Safety
The North Korean menace actor often called Kimsuky has been linked to a brand new marketing campaign that distributes a brand new variant of Android malware known as DocSwap by way of QR codes hosted on phishing websites mimicking Seoul-based logistics agency CJ Logistics (previously CJ Korea Specific).
“The menace actor leveraged QR codes and notification pop-ups to lure victims into putting in and executing the malware on their cellular units,” ENKI stated. “The malicious app decrypts an embedded encrypted APK and launches a malicious service that gives RAT capabilities.”
“Since Android blocks apps from unknown sources and shows safety warnings by default, the menace actor claims the app is a protected, official launch to trick victims into ignoring the warning and putting in the malware.”
In response to the South Korean cybersecurity firm, a few of these artifacts masquerade as bundle supply service apps. It is being assessed that the menace actors are utilizing smishing texts or phishing emails impersonating supply firms to deceive recipients into clicking on booby-trapped URLs internet hosting the apps.
A noteworthy facet of the assault is its QR code-based cellular redirection, which prompts customers visiting the URLs from a desktop pc to scan a QR code displayed on the web page on their Android machine to put in the supposed cargo monitoring app and lookup the standing.
Current inside the web page is a monitoring PHP script that checks the Person-Agent string of the browser after which shows a message urging them to put in a safety module beneath the guise of verifying their identification as a consequence of supposed “worldwide customs safety insurance policies.”
Ought to the sufferer proceed to put in the app, an APK bundle (“SecDelivery.apk”) is downloaded from the server (“27.102.137[.]181”). The APK file then decrypts and masses an encrypted APK embedded into its sources to launch the brand new model of DocSwap, however not earlier than ascertaining that it has obtained the required permission to learn and handle exterior storage, entry the web, and set up extra packages.
“As soon as it confirms all permissions, it instantly registers the MainService of the newly loaded APK as ‘com.supply.safety.MainService,'” ENKI stated. “Concurrently with service registration, the bottom utility launches AuthActivity. This exercise masquerades as an OTP authentication display and verifies the consumer’s identification utilizing a supply quantity.”
The cargo quantity is hard-coded inside the APK as “742938128549,” and is probably going delivered alongside the malicious URL throughout the preliminary entry section. As soon as the consumer enters the supplied supply quantity, the applying is configured to generate a random six-digit verification code and show it as a notification, following which they’re prompted to enter the generated code.
As quickly because the code is supplied, the app opens a WebView with the legit URL “www.cjlogistics[.]com/ko/software/parcel/monitoring,” whereas, within the background, the trojan connects to an attacker-controlled server (“27.102.137[.]181:50005”) and obtain as many as 57 instructions that enable it to log keystrokes, seize audio, begin/cease digital camera recording carry out file operations, run instructions, add/obtain recordsdata, and collect location, SMS messages, contacts, name logs, and an inventory of put in apps.
ENKI stated it additionally found two different samples disguised as a P2B Airdrop app and a trojanized model of a legit VPN program known as BYCOM VPN (“com.bycomsolutions.bycomvpn”) that is out there on the Google Play Retailer and developed by an Indian IT companies firm named Bycom Options.
“This means that the menace actor injected malicious performance into the legit APK and repackaged it to be used within the assault,” the safety firm added.
Additional evaluation of the menace actor infrastructure has uncovered phishing websites mimicking South Korean platforms like Naver and Kakao that search to seize customers’ credentials. These websites, in flip, have been discovered to share overlaps with a previous Kimsuky credential harvesting marketing campaign focusing on Naver customers.
“The executed malware launches a RAT service, capabilities, equally to previous circumstances however demonstrates advanced corresponding to utilizing a brand new native operate to decrypt the inner APK and incorporating numerous decoy behaviors,” ENKI stated.
