North Korean hacking group APT37 has been delivering an Android version of its BirdCall backdoor through a supply chain attack on a video game platform, with researchers saying they found at least seven versions created since about October 2024.
KEY FACTS
- Group APT37, also known as ScarCruft and Ricochet Chollima, is behind the campaign.
- Delivery Trojans were placed on sqgame.net, a Chinese site hosting games for Android, iOS and Windows.
- Targets The attacks observed by researchers affected Android and Windows users.
- Spyware The Android BirdCall variant can steal contacts, logs, SMS, device details and files.
A technical analysis by ESET says the Android malware was delivered through trojanized APKs on the game site, which catered to Koreans in the autonomous Yanbian region in China. That area is a crossing point for North Korean defectors and refugees.
The BirdCall family has been linked to ScarCruft since 2021. On Windows, it can record keystrokes, take screenshots, steal clipboard contents, exfiltrate files and execute commands. The Android version does not yet include all of those features.
Researchers said the mobile variant can collect IP geolocation data, contacts, call logs, SMS messages and device identifiers, including IMEI, MAC address and network details. It also reports battery temperature, RAM, storage, cloud configuration and selected file types to a command server.
The malware periodically takes screenshots, records audio from 7 pm to 10 pm local time and plays a silent MP3 in a loop to keep its process alive. It can also exfiltrate files from a specified directory. Missing features include shell command execution, traffic proxying, browser and messenger targeting, file deletion and process killing.
On Windows, the infection chain starts with a trojanized mono.dll file that downloads and runs RokRAT, which then deploys the Windows BirdCall backdoor. The report said ScarCruft has used several other custom tools in past campaigns, including THUMBSBD, KoSpy, M2RAT and Dolphin.
WHY IT MATTERS
The campaign shows how a supply chain compromise on a gaming platform can be used to reach Android users with spyware that is built to collect a wide range of device and personal data. Users reduce risk by downloading software only from official marketplaces and trusted publisher sites.