KevDroid Android backdoor is tied to the North Korean Reaper hacking group, researchers said.
The hacking group, also going by the names of APT 37, Group 123, Red Eyes, and ScarCruft, is continuing to push the level of sophistication of its campaigns, said researchers at Palo Alto Networks.
Recently, the group was said to have targeted victims with Android spyware via spear phishing emails.
“The post by EST Security detailed an Android spyware disguising itself as an Anti-Virus app from Naver (the largest search and web portal service provider in South Korea),” said Palo Alto Researcher Ruchna Nigam in a post. “While hunting for similar samples, I came across two more versions of the same variant. One of those called home to cgalim[.]com, a domain that Palo Alto Networks had already observed being used by the Reaper group in non-mobile attacks.”
The group uses two Trojanized application versions to distribute Android spyware variants. The legitimate applications – Bitcoin Ticker Widget and PyeongChang Winter Games – are distributed through Google Play, but the malicious variants never made it to the official app store.
The two Trojanized applications, which are signed with the same certificate, contact the same URL to fetch payloads, and were observed serving an advanced iteration of the Android spyware. Each of the malicious apps was created to “respectively download and drop one specific variant of Reaper’s Android spyware,” the Nigam said.
Once installed, the apps would display a message asking the user to update them. If the user accepts the update, however, the malicious payload is downloaded instead and saved as AppName.apk. Next, the payload is loaded and the user is asked to confirm the installation.
The spyware can record audio and video, capture screenshots, grab the phone’s file listing, fetch specific files, download a list of commands, get device info, and root the device. Additionally, it can steal voice recordings from incoming and outgoing calls, call logs, SMS history, contact lists, and information on registered accounts on the phone.