Kimsuky Hacker Group Targeting Mobile Users With New Android Malware

Kimsuky (aka Thallium, Black Banshee, Velvet Chollima) is a North Korean hacking group that is actively targeting Android device users with 3 new mobile malware that are recently discovered by the cybersecurity experts at S2W.

This group has been active since 2012 and has performed several cyberattacks on targets who are engaged in the following sectors around the globe:- 

• Media
• Research
• Politics
• Diplomacy
• Finance

Data is primarily collected by this hacking group through the distribution of malware and spear-phishing attacks through which they gain access to the victims’ accounts.

Malware Strains

It should be noted that the malware strains were named in the following manner by the South Korean cybersecurity company S2W:-

• FastFire: FastFire disguised as a Google security plug-in.

• FastViewer: FastViewer malware disguises itself as “Hancom Viewer.”

• FastSpy: FastSpy is a remote access tool that is based on the open-source AndroSpy tool.

As far as Kimsuky is concerned, North Korea is expected to be conducting an intelligence-gathering mission under the curtain of Kimsuky around the globe.

The primary focus of this group is on the organizations and entities from the following countries:-

• South Korea
• Japan
• The U.S.

Technical Analysis

In the past, attackers have been able to execute arbitrary actions on infected devices through the Android version of the AppleSeed implant.

The three families of malware that have been discovered recently are the latest additions to Kimsuky’s arsenal. This set of malware is mainly designed to perform two key tasks:-

• Receive commands from Firebase
• Download additional payloads

There is a predetermined order in which FastFire is executed, which begins with MainActivity. “com.viewer.fastsecure” is the package name of the malicious APK, which disguises itself as a Google Security Plugin.

There is no way to discover that it is installed once it is installed because it hides its launcher icon. Using the accessibility API permissions, FastViewer and FastSpy both perform spying activities on Android devices.

Upon launching FastSpy, it will give the attacker complete control over the devices that are being targeted to steal and hijack the following data and components:-

• Calls
• SMS
• Locations
• Documents
• Keystrokes
• Camera
• Recordings
• Microphone
• Speakers

These three malware families were attributed to the Kimsuky hacking group, as this group has been found to be using the domain “mc.pzs[.]kr.” While it’s the domain name that has previously been used by the group in a prior campaign that was operated in May 2022.

It is imperative that users be careful about sophisticated attacks targeting Android devices due to Kimsuky Group’s mobile targeting strategy becoming more sophisticated and advanced.