Android Spyware Aimed At North Korean Defectors Discovered

Researchers at McAfee have now discovered new applications tied with a malicious attempt to track and steal information from North Korean defectors. While spyware isn't uncommon in the mobile world, McAfee says this is actually the second attempt by a group it calls the "Sun Team." Sun Team was also responsible for several applications identified earlier this year which were designed to track defectors from the country and journalists. Those were published to the Google Play Store as "Unreleased" test versions of applications. Dubbed RedDawn, the malware now includes three more applications titled 음식궁합, Fast AppLock, and AppLockFree. As with previous attempts, the group was able to be identified using patterns in Dropbox accounts tied to the downloading of malicious software by the apps and similar patterns in email addresses and Android device information. Meanwhile, familiarity with the South Korean culture was also apparent but the use of the language in that context was awkward. That suggests that the entities behind the attacks are familiar with those things but are not native South Koreans.

Facebook was also used in both this attack and the earlier one to spread the application via links sent to friends of infected parties. With regard to the apps themselves, each appears to be multi-staged but each was caught early on after only around 100 infections. 음식궁합 is a food information application, which translates loosely to Food Ingredients Info, according to McAfee. The remaining apps are tied to securing applications. The first stage is to steal information from the devices and then 음식궁합 and Fast AppLock can also both receive and execute files from a cloud server. AppLockFree appears to have only collected device information.

Although this attempt was caught and the apps removed from Google Play, it's important to remember that the attacks could easily get worse. Up until this point, those behind the attacks have been dependent on modified versions of publicly available exploits. They have also been generating and utilizing false identities using names and photos stolen from social networks to promote the "Unreleased" apps. Given the persistence of the Sun Team, it's likely only a matter of time before the attacks become more sophisticated. In the meantime, this recently discovered malware can be identified as Android/RedDawn.A, B by McAfee Mobile Security.

You May Like These
More Like This:
About the Author
2018/10/Daniel-Golightly-2018-New.jpg

Daniel Golightly

Senior Staff Writer
Daniel has been writing for AndroidHeadlines since 2016. As a Senior Staff Writer for the site, Daniel specializes in reviewing a diverse range of technology products and covering topics related to Chrome OS and Chromebooks. Daniel holds a Bachelor’s Degree in Software Engineering and has a background in Writing and Graphics Design that drives his passion for Android, Google products, the science behind the technology, and the direction it's heading. Contact him at [email protected]
Android Headlines We Are Hiring Apply Now