Tuesday, April 29, 2025
HomeAndroidKimsuky Hacker Group Targeting Mobile Users With New Android Malware

Kimsuky Hacker Group Targeting Mobile Users With New Android Malware

Published on

SIEM as a Service

Follow Us on Google News

Kimsuky (aka Thallium, Black Banshee, Velvet Chollima) is a North Korean hacking group that is actively targeting Android device users with 3 new mobile malware that are recently discovered by the cybersecurity experts at S2W.

This group has been active since 2012 and has performed several cyberattacks on targets who are engaged in the following sectors around the globe:- 

  • Media
  • Research
  • Politics
  • Diplomacy
  • Finance

Data is primarily collected by this hacking group through the distribution of malware and spear-phishing attacks through which they gain access to the victims’ accounts.

- Advertisement - Google News

Malware Strains

It should be noted that the malware strains were named in the following manner by the South Korean cybersecurity company S2W:-

  • FastFire: FastFire disguised as a Google security plug-in.
  • FastViewer: FastViewer malware disguises itself as “Hancom Viewer.”
  • FastSpy: FastSpy is a remote access tool that is based on the open-source AndroSpy tool.

As far as Kimsuky is concerned, North Korea is expected to be conducting an intelligence-gathering mission under the curtain of Kimsuky around the globe.

The primary focus of this group is on the organizations and entities from the following countries:-

  • South Korea
  • Japan
  • The U.S.

Technical Analysis

In the past, attackers have been able to execute arbitrary actions on infected devices through the Android version of the AppleSeed implant.

The three families of malware that have been discovered recently are the latest additions to Kimsuky’s arsenal. This set of malware is mainly designed to perform two key tasks:-

  • Receive commands from Firebase
  • Download additional payloads

There is a predetermined order in which FastFire is executed, which begins with MainActivity. “com.viewer.fastsecure” is the package name of the malicious APK, which disguises itself as a Google Security Plugin.

There is no way to discover that it is installed once it is installed because it hides its launcher icon. Using the accessibility API permissions, FastViewer and FastSpy both perform spying activities on Android devices.

Upon launching FastSpy, it will give the attacker complete control over the devices that are being targeted to steal and hijack the following data and components:-

  • Calls
  • SMS
  • Locations
  • Documents
  • Keystrokes
  • Camera
  • Recordings
  • Microphone
  • Speakers

These three malware families were attributed to the Kimsuky hacking group, as this group has been found to be using the domain “mc.pzs[.]kr.” While it’s the domain name that has previously been used by the group in a prior campaign that was operated in May 2022.

It is imperative that users be careful about sophisticated attacks targeting Android devices due to Kimsuky Group’s mobile targeting strategy becoming more sophisticated and advanced.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Cyber Espionage Campaign Targets Uyghur Exiles with Trojanized Language Software

A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...

Outlaw Cybergang Launches Global Attacks on Linux Environments with New Malware

The Outlaw cybergang, also known as “Dota,” has intensified its global assault on Linux...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Uncover SuperShell Payloads and Various Tools in Hacker’s Open Directories

Cybersecurity researchers at Hunt have uncovered a server hosting advanced malicious tools, including SuperShell...

Cyber Espionage Campaign Targets Uyghur Exiles with Trojanized Language Software

A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest...

Konni APT Deploys Multi-Stage Malware in Targeted Organizational Attacks

A sophisticated multi-stage malware campaign, potentially orchestrated by the North Korean Konni Advanced Persistent...