According to McAfee, the same group has now incorporated Google Play's support for "unreleased apps" to trick victims into installing malicious apps that can siphon a user's photos, contacts, and SMS messages.
The apps were promoted to particular targets via Facebook, McAfee claims. Two of the apps were disguised as security apps, while the third was disguised as an app that provided information about food ingredients.
The apps were spread to selected individuals, in many cases by contacting them over Facebook. At the time of their removal, the apps had about 100 downloads in total.
According to the McAfee researchers, the apps were meant to target North Korean defectors to South Korea - numbering more than 30,000 in 2016 - in a campaign it has dubbed "RedDawn". Thursday's report is the latest to document malicious apps that bypassed Google filters created to keep bad wares out of the Play market.
McAfee issued a report last November that states that the firm's researchers discovered malicious Android files with backdoors that allowed hackers to infiltrate users' devices. A so-called "advanced persistent threat group" that multiple researchers have tracked for years, Lazarus is credited with the 2014 breach of Sony Pictures that wiped nearly a terabyte's worth of data, a string of attacks on financial institutions (including an $81 million heist of a Bangladeshi bank in 2016), and the unleashing of the Wannacry worm (second attribution here), which shut down hospitals, train stations, and businesses worldwide.
In addition, the authors used Korea words "not in South Korean vocabulary" and exposed an IP address that points to North Korea. According to them, the backdoors had a lot of similarities with those used by Lazarus group, which is a hacking unit from North Korea.
"We uncovered information about the attacker's Android test devices and exploits they tried to use..." The Sun Team apparently took note of this too. "Furthermore, the email addresses of the new malware's developer are identical to the earlier email addresses associated with the Sun Team".
After the attack was discovered, would-be defectors were encouraged to only install Android apps from Google Play. "From our analysis, we conclude that the actor behind both campaigns is Sun Team", the Inernet security solutions company said.
One of the folders found on these accounts was called "Sun Team Folder", and so the group was named the Sun Team, due to failure to connect them to other, already-existing groups. "These elements are suggestive, though not a confirmation, of the nationality of the actors behind these malware campaigns".
- India today will mourn the defeat of democracy: Rahul
- Bitcoin is unsustainable, and we now have peer-reviewed proof
- Airlines must continue to accept service animals, says U.S. transport dep't
- Russian Federation was presented frameless smartphone Xiaomi Redmi Note 5 Pro
- Meghan Marke's half-sister hospitalised with ankle injury
- Fly With Meghan And Harry This Weekend
- Irish Mothercare unaffected as 50 United Kingdom stores to shut
- Kluivert criticises Ajax over attempt to sell him to Spurs
- Egypt's opens Rafah crossing to Gazans for Ramadan
- Cristiano Ronaldo leads Portugal's 23-man World Cup squad