North Korean Threat Actor Kimsuky Distributing DocSwap Android Malware

North Korean Threat Actor Kimsuky Distributing DocSwap Android Malware

A new Android malware variant called DocSwap is being distributed by North Korean threat actor Kimsuky through QR code phishing campaigns. The malware masquerades as a delivery tracking app, specifically impersonating CJ Logistics, a major Korean logistics company.

Attack Vector

The threat actor uses smishing texts and phishing emails containing URLs that redirect users to fake delivery tracking websites. When scanned on a mobile device, QR codes on these phishing sites prompt users to install what appears to be an official security module or delivery tracking application. The malware leverages social engineering tactics, claiming the installation is required for "international customs security policies" to overcome Android's built-in security warnings.

Technical Details

Once installed, the malware decrypts an embedded encrypted APK to launch DocSwap's main service. The attack includes a sophisticated authentication flow disguised as an OTP verification screen, using a hard-coded delivery number to appear legitimate. After the victim completes the fake verification process, the trojan connects to attacker-controlled servers and can execute up to 57 different commands.

Capabilities

DocSwap functions as a Remote Access Trojan (RAT) with extensive surveillance capabilities, including keystroke logging, audio capture, camera recording, file operations, command execution, and data exfiltration of SMS messages, contacts, call logs, location data, and installed applications.

Recommendations

Users should verify the authenticity of delivery apps before installation, be cautious when scanning QR codes, use multi-factor authentication, and keep their mobile devices and security software up to date. Organizations should educate employees about phishing and smishing tactics targeting mobile devices.