The second campaign from the “Sun Team” hacking group managed to sneak its way into the Google Play Store to targeted North Korean defectors.
The malware looks to copy sensitive information including personal photos, contacts, and SMS messages and sends them to the threat actors,” according to a May 17 blog post.
The malware became active in 2017 with the sole purpose of extracting information from devices.
Researchers identified the malwares at an early stage and subsequently alerted Google and as a result, the number of infections was only about 100 infections, quit low compared with previous campaigns from Google Play. Threat actors also used Facebook to distribute malicious links to which linked to that apps.
The malware was hidden in three apps named AppLockFree (Unreleased), Fast AppLock (Unreleased), and Food Ingredients Info which offers information about food, all of which have since been removed after staying online for roughly two months.
Sun Team also used awkward Korean writing in the descriptions which followed a pattern of using names of celebrities, such as Jack Black, who appeared on Korean TV suggesting the threat actors aren't native South Koreans but are familiar with the culture and language, researchers said.
Researchers believe the apps are multi-staged and use several components with one of the apps being part of a reconnaissance stage which sets the foundation for the next stage for the other two apps. The malware also attempts to spread to a victims friends and asks them the install the other malicious apps and offer feedback via a Facebook account with a fake profile promoted.
Researchers also found Sun Team used devices manufactured in several countries and carry installed Korean apps to test the exploits they tried to use.
“The exploits codes were found uploaded on one of the cloud storages used by Sun Team which are modified versions of publicly available sandbox escape, privilege escalation, code execution exploits that added functions to drop their own Trojans on victims' devices,” researchers said in the post. “The modified exploits suggest that the attackers are not skillful enough to find zero days and write their own exploits.”
Researchers said it's only a matter of time before the threat actors begin exploiting these vulnerabilities.
To avoid infection, users should be cautious when installing unreleased or beta versions of any app and also check the number of downloads to see if the app is widely installed.