Threat Management, Threat Hunting, Threat Intelligence, Malware, Endpoint/Device Security

Updated DocSwap Android malware deployed by Kimsuky

Powered by Android operating system OS software logo icon on a smartphone tablet mobile phone device display screen macro, extreme closeup detail, nobody Android apps

Malicious QR codes and pop-up notifications on websites spoofing South Korean logistics company CJ Logistics have been used by North Korean state-backed advanced persistent threat operation Kimsuky to distribute the updated DocSwap Android malware, reports The Hacker News.

Kimsuky has leveraged the QR code to redirect targets to a script that triggers a message luring them into downloading a fake security module, which includes an APK file that launches the new DocSwap Android variant after securing external storage reading and management permissions and internet access, as well as injecting other packages, an analysis from ENKI revealed. DocSwap not only allowed keystroke logging, audio capturing, and camera recording, but also file operations, command execution, file uploads and downloads, and extensive device data gathering.

"The executed malware launches a RAT service, similarly to past cases but demonstrates evolved capabilities, such as using a new native function to decrypt the internal APK and incorporating diverse decoy behaviors," said ENKI researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds