North Korea is considered to be an oppressive regime. Not many people actually get to escape, but even if you are successful in getting out of the country, it might not be enough to escape its reach. New research from McAfee suggests that hackers in North Korea are targeting defectors with malware-infected Android apps. I want to insert a “buy Apple” joke, but it’s probably not the time. McAfee reported last week that it found a number of apps in the Google Play Store, which were infected with what it called RedDawn malware. If installed on a device, the attack could steal a significant amount of personal and/or sensitive information. This information could then be used by the attackers to threaten or track victims.
There were three apps discovered in the Google Play Store: The first, titled 음식궁합 (Food Ingredients Info), offers users information about food. The other two – Fast AppLock and AppLockFree, were presented as security-related tools. My question is how do attackers know that North Korean defects are going to download these particular apps? I mean, the security-related tool angle is pretty smart, but the first app seems like a bit of a crapshoot. Doesn’t it?
Literally, anyone could download the apps from the Google Play Store. The attackers though directed the app to North Korean refugees and journalists. The hacking group responsible for the attack primarily distributed the apps by targeting individuals and contacting them via Facebook. These apps were spread to specific individuals. The scary part? The apps had about 100 downloads when Google removed them. Nation-operated espionage campaigns frequently infect a small number of carefully selected targets and keep the number small in an attempt to remain undetected. Thursday’s report is the latest to document malicious apps that bypassed Google filters designed to keep bad wares out of the Play market.
McAfee also reported that it found malicious Android files last November. These files contained backdoors that were similar to those used by North Korea. The backdoor gives attackers the ability to generate encryption keys in a similar way that is used to communicate with control servers.
In January, McAfee reported that they found malicious apps targeting North Korean journalists and defectors. Some of the Korean words found in the control servers weren’t used in South Korea but were used in North Korea. The researchers also found a North Korean IP address in a test log file of some Android devices that were connected to accounts used to spread the malware. McAfee said the developers didn’t appear to be connected to any previously known hacking groups.
Once a device was infected with the malware, attackers were able to extract everything from the Android device, such as photos, text messages and even call recordings. All that data would be uploaded to Dropbox and Yandex accounts controlled by the hackers, who could also issue commands to the compromised Android device. These revelations about the Android attacks come just a week after Forbes revealed that North Korea-linked hackers were, actively trying to develop software, which would be aimed at Apple’s iPhones. Maybe my comment about Apple was premature? Either way, we all need to be careful about the apps that we’re downloading.