Tuesday, 22 January 2019
Latest news
Main » North Korea distributed apps on Google Play to spy on defectors

North Korea distributed apps on Google Play to spy on defectors

18 May 2018

According to McAfee, the same group has now incorporated Google Play's support for "unreleased apps" to trick victims into installing malicious apps that can siphon a user's photos, contacts, and SMS messages.

Huawei has acknowledged the fault, saying: "We are aware of an issue related to Google Play services that is affecting some apps on Huawei devices".

The apps were promoted to particular targets via Facebook, McAfee claims. Two of the apps were disguised as security apps, while the third was disguised as an app that provided information about food ingredients.

The apps were spread to selected individuals, in many cases by contacting them over Facebook. At the time of their removal, the apps had about 100 downloads in total.

According to the McAfee researchers, the apps were meant to target North Korean defectors to South Korea - numbering more than 30,000 in 2016 - in a campaign it has dubbed "RedDawn". Thursday's report is the latest to document malicious apps that bypassed Google filters created to keep bad wares out of the Play market.

McAfee issued a report last November that states that the firm's researchers discovered malicious Android files with backdoors that allowed hackers to infiltrate users' devices. A so-called "advanced persistent threat group" that multiple researchers have tracked for years, Lazarus is credited with the 2014 breach of Sony Pictures that wiped nearly a terabyte's worth of data, a string of attacks on financial institutions (including an $81 million heist of a Bangladeshi bank in 2016), and the unleashing of the Wannacry worm (second attribution here), which shut down hospitals, train stations, and businesses worldwide.

In addition, the authors used Korea words "not in South Korean vocabulary" and exposed an IP address that points to North Korea. According to them, the backdoors had a lot of similarities with those used by Lazarus group, which is a hacking unit from North Korea.

"We uncovered information about the attacker's Android test devices and exploits they tried to use..." The Sun Team apparently took note of this too. "Furthermore, the email addresses of the new malware's developer are identical to the earlier email addresses associated with the Sun Team".

After the attack was discovered, would-be defectors were encouraged to only install Android apps from Google Play. "From our analysis, we conclude that the actor behind both campaigns is Sun Team", the Inernet security solutions company said.

One of the folders found on these accounts was called "Sun Team Folder", and so the group was named the Sun Team, due to failure to connect them to other, already-existing groups. "These elements are suggestive, though not a confirmation, of the nationality of the actors behind these malware campaigns".

North Korea distributed apps on Google Play to spy on defectors