Tech & Science

North Korean Hackers Spying on Defectors Using Facebook to Spread Android Malware

Hackers with alleged ties to North Korea are “actively” using mobile malware to spy on the Android devices used by defectors, cybersecurity company McAfee has revealed.

Spread using social media networks including Facebook, new research suggests that the suspected culprits—a hacking group codenamed “Sun Team”—are using the mobile malware to steal sensitive information including personal photos, contact lists and text messages. To date it is a highly-targeted campaign, with the rogue applications infecting approximately 100 victims via Google Play.

The campaign, which has been dubbed “Red Dawn” by McAfee, is the second operation tied to Sun Team that has been spotted this year. In January, the company discovered that some of the estimated 30,000 defectors living in South Korea had been in the crosshairs of a similar hacking scheme that was linked to North Korea’s cyber-ops via an exposed internet protocol (IP) address and language quirks.

In the most recent find, McAfee researchers tracked the hackers’ email accounts and uncovered three apps had been uploaded to the Android’s download marketplace by the group: “Food Ingredients Info,” “Fast AppLock” and “AppLockFree.” Designed as reconnaissance tools, after infection the malware hijacks device information and can receive remote commands from a cloud server, experts said. One app, Food Ingredients Info, was shared by a fake Facebook profile that was “asking for feedback.”

Victim data could be exfiltrated to accounts hosted on Dropbox and Yandex. The cybersecurity firm has said that “the attackers are not skillful enough to find zero days and write their own exploits, however it is likely just a matter of time before they start to exploit vulnerabilities.” Zero days, the most sought-after exploits, target bugs and security gaps that are unknown to anyone else—even the developer.

McAfee said the hackers use stolen information to spread the malware. “The most concerning thing about this Sun Team operation is that they use photos uploaded on social network services and identities of South Koreans to create fake accounts,” mobile researcher Jaewon Min wrote in a blog post on May 17. “We have found evidence that some people have had their identities stolen.”

He continued: “This malware campaign used Facebook to distribute links to malicious applications that were labeled as unreleased versions. From our analysis, we conclude that the actor behind both campaigns is Sun Team. Be cautious when installing unreleased or beta versions of any app. Also, check the number of downloads to see if an application is widely installed; avoid obscure apps.”

One of the most notorious North Korean hacking units is widely-known inside the cybersecurity community as “Lazarus Group”. It has been linked to attacks on cryptocurrency exchanges, Sony Pictures and the Bangladesh Central Bank. Multiple analysts have said that code found in WannaCry, a major ransomware that spread across the world last year, was linked to the shady collective.

While attribution remains tricky, McAfee believes that Sun Team is operationally separate from Lazarus Group at this time. Previous reports have suggested the North’s hacking units operate from China. The Android applications discovered in the latest campaign have been taken offline by Google.

Editor's Pick