The Google Play Store is no stranger to seemingly legitimate applications that host malware, but McAfee researchers have discovered something a little different: three malicious apps that target specific individuals. The security group says that a group related to North Korea has downloaded the apps, which were designed to infiltrate Android devices belonging to defectors of the country.
While the phrase "North Korean hackers" usually refers to the infamous Lazarus group, in this case, the attacker is the Sun team. This was behind a campaign called RedDawn, which saw malware laden applications added to the Play Store before attempts to convince the defectors to download the software were made.
All three apps appeared in the Google store between January and March of this year. The first of them, called Food Ingredients Info, offered information on food, as one might imagine. The other two, Fast AppLock and Fast AppLockFree, were security tools. All three were able to steal the personal data of those who downloaded them, which could then be used to blackmail, threaten or track the victims; this information included photos, contacts, call records and SMS messages from a user.
"After getting infected with a device, the malware uses Dropbox and Yandex to download data and issue commands, including additional dexx plug-in files, a tactic similar to previous Sun Team attacks," writes McAfee's Jaewon Min. .
"From these cloud storage sites, we found information logs from the same Android test devices used by Sun Team for the malware campaign we reported in January. In addition, the e-mail addresses of the developer of the new malware are identical to the previous e-mail addresses associated with the Sun team. "
The Sun team attempted to obtain North Korean defectors, including more than 30,000 in 2016, to download applications using a fake Facebook profile or by sending direct private messages via the site . A popular chat application in South Korea called KakaoTalk has also been used to send links to targets.
The apps, which have now been removed, have logged about 100 downloads during their time on the Google Play Store. Two fake Facebook profiles set up by the Sun team would still be active.
Other evidence linking the attacks to North Korea included a country-owned IP address that was found in a test file, as well as the fact that the authors were using Korean words "not in the vocabulary south Korean ". To end its recent peace talks, we could see more attacks from the Sun Team in the future.
[ad_2]
Source link