Tuesday 11th December 2018

North Korean defectors were targeted through Google Play

According to a report from McAfee, the attackers appear to want to spy on North Korean defectors. The internet security firm discovered a North Korean IP address on an Android device linked to the attacks.
Jason Smith
by on 22nd May 2018

A group of hackers dubbed “Sun Team” developed malware for the Android operating system that sought to target North Korean defectors, according to a report from internet security firm McAfee.

The report states the malware was labelled as “unreleased,” uploaded to Google Play in January 2018 and was available to download for two months.

Upon identifying the malware, McAfee notified Google, which removed the malware from its platform.

The report also states that the threat was discovered early and only affected upwards of 100 users. The malicious code was created for the purpose of copying personal data from users’ devices, including text messages, photos and contact details.

The data was subsequently uploaded to Dropbox accounts that were named after popular South Korean celebrities.

The app carrying the malware was called “Food Ingredients Info” and was operating under the pretence of offering nutritional information to users. The group also had two other apps called “FastAppLock” and “AppLockFree” in production, both of which were related to security.

The malware was spread between users’ social connections and encouraged them to leave reviews on a fake Facebook page.  McAfee discovered numerous Korean apps installed on the hackers’ test devices, which obviously provides a strong indication they are fluent in Korean.

This is the second identified attack by Sun Team this year. In January, McAfee reported that the group was targeting North Korean journalists and refugees through the distribution of download links over popular messaging apps and social networking sites.

As per the latest attack, the threat from January relied on users installing malware that would upload their personal data to Dropbox. The journalists that were targeted were sent shortened links that displayed a thumbnail from stories they’d recently written.

Some of the shortened links were also clicked from police email addresses.

In a blog post about the attacks on its website, McAfee states, “The actors are familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors”.

McAfee also stated they came across language written by the attacked that is only used in North Korea. Moreover, it also found a North Korean IP address on Android devices linked to the attacks.