South Korean cybersecurity firm ENKI said the North Korean threat actor known as Kimsuky has been linked to a campaign that distributes a new variant of Android malware called DocSwap via QR codes on phishing sites impersonating Seoul-based logistics firm CJ Logistics.
The campaign uses social engineering to lure recipients to booby-trapped URLs, with ENKI reporting that operators deliver links by means of smishing texts or phishing emails that impersonate delivery companies and push victims to install fake shipment-tracking apps.
Pages hosting the malicious apps prompt users who visit from desktop browsers to scan a QR code with an Android device. A tracking PHP script on those pages checks the browser User-Agent and displays a message urging installation of a purported security module under the guise of “international customs security policies.” If the victim proceeds, an APK named “SecDelivery.apk” is downloaded from the server at 27.102.137[.]181, and that package decrypts and loads an encrypted APK embedded in its resources.
ENKI said the initial app requests permissions to read and manage external storage, access the internet and install additional packages before registering the loaded malware’s service as “com.delivery.security.MainService.” The base application launches an AuthActivity that impersonates an OTP authentication screen. A hard-coded shipment number in the APK, reported as “742938128549,” is used to generate a verification code that the user must enter; after validation, the app opens a legitimate CJ Logistics tracking page while the trojan connects in the background to an attacker-controlled server at 27.102.137[.]181:50005 and accepts up to 57 commands, including keystroke logging, audio capture, camera control, file operations, command execution, and the collection of location, SMS, contacts, call logs and installed-app lists.
ENKI also identified two other samples used in the campaign, including one disguised as a P2B Airdrop app and a repackaged, trojanized version of a legitimate VPN application listed on Google Play as BYCOM VPN. The security company said the actor injected malicious functionality into the legitimate APK and repackaged it for use in the attack.
Further analysis found phishing sites mimicking South Korean platforms such as Naver and Kakao that aim to harvest credentials and appear to overlap with a prior Kimsuky credential harvesting campaign, ENKI said. The report noted the executed malware launches a remote-access Trojan service with evolved capabilities, but did not disclose the number of victims.