- The North Korean group Kimsuky is linked to a new Android Malware campaign using QR codes on phishing sites mimicking CJ Logistics.
- The malware, called DocSwap, disguises itself as delivery service apps and uses decoded APK loading and RAT features.
- Victims are tricked into installing the malware through QR codes or phishing URLs, often after scanning prompts on desktop browsers.
- The malware collects device data, logs keystrokes, records audio and video, and has extensive remote access capabilities.
- Related phishing sites also target South Korean platforms like Naver and Kakao for credential theft.
A North Korean cyber espionage group known as Kimsuky has launched a campaign distributing a new Android malware variant named DocSwap. This campaign uses QR codes hosted on phishing websites impersonating the Seoul-based logistics company, CJ Logistics (formerly CJ Korea Express). The goal is to deceive users into downloading malicious apps on their mobile devices.
The attackers leverage QR codes and notification pop-ups to lure victims into installing the malware. According to ENKI, the malicious app decrypts an embedded APK and executes a remote access trojan (RAT) service. The threat actors mislead users by presenting the app as a legitimate official release to bypass Android’s security warnings about unknown sources.
Phishing messages, including smishing texts and emails, impersonate delivery firms to distribute booby-trapped URLs. When recipients access these URLs from a desktop computer, the site prompts them to scan a QR code on their Android device to install a package tracking app. The page includes a PHP tracking script that inspects the browser’s User-Agent to display a message asking users to install a “security module” under the pretense of customs verification.
If the victim installs the app, an APK file named “SecDelivery.apk” downloads and proceeds to decrypt and load another malicious APK module. This module requests permissions for external storage, internet access, and package installation. Once permitted, it registers a background service called “com.delivery.security.MainService” and displays an OTP verification screen. Users must enter a hardcoded shipment number “742938128549” and then a generated six-digit code.
After verification, the app opens a legitimate CJ Logistics webpage in a WebView but simultaneously connects to a command-and-control server at the IP address “27.102.137[.]181:50005.” The malware can execute up to 57 commands, including keystroke logging, audio and camera recording, file manipulation, and gathering location, SMS messages, contacts, call logs, and installed app lists.
In addition to the delivery-themed malware, researchers found other malicious APKs disguised as a P2B Airdrop app and a repackaged version of a legitimate VPN app named BYCOM VPN by the Indian company Bycom Solutions. This demonstrates the threat actor’s use of repackaging legitimate software with malicious code.
Further investigations revealed phishing sites imitating major South Korean platforms like Naver and Kakao. These sites share infrastructure with a previous Kimsuky campaign that targeted Naver users to steal login credentials, as documented in a hunt.io report.
“The executed malware launches a RAT service, capabilities, similarly to past cases but demonstrates evolved such as using a new native function to decrypt the internal APK and incorporating diverse decoy behaviors,” ENKI explained.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Binance Coin Hits $1369 Peak, Faces Drop Below $800 Soon
- ARK Invest Scoops Up BMNR as Ethereum Slumps Below $3,000
- India Approves Coinbase Minority Stake in $2.45B CoinDCX Deal
- CISA Flags Critical ASUS Live Update Flaw Exploited in the Wild
- Nexo Becomes First Crypto Partner in Grand Slam History Through Australian Open Deal
