North Korean Hackers Figure Out How To Infiltrate Google Play
Despite the recent detente with America and South Korea, North Korea continues to launch cyberattacks across the globe. And in recent months, attempts were made by a mysterious hacker crew called the Sun Team to infiltrate the Android phones of North Korean defectors, via phishing attempts on Facebook and malware hosted on Google Play, according to research from McAfee. It appears to be the first example of North Korean hackers breaking through the security on Google’s market and a sign of increasing sophistication by the nation state’s hackers.
The Sun Team infiltrated Google Play with three different spy tools in January. All masqueraded as something they were not, whilst pilfering private data from infected phones. Two were supposed security applications – Fast AppLock and AppLockFree. The other was, bizarrely, related to food ingredients. All were posted on Facebook groups associated with defectors between January and March by a fake profile set up by the Sun Team, or delivered via private messages on the social network, the cybersecurity firm said. KakaoTalk, a popular chat application in South Korea, was also used to send targets links to the malware.
All rogue Android apps have now been removed from the Google Play market, after they bypassed the tech giant’s protections on its official Android app store. They remained live on Google’s platform for two months, amassing only 100 or so downloads, though given the apparently targeted nature of the attacks, this could be deemed a successful campaign by the attackers. Google hadn’t responded to a request for comment at the time of publication.
Two fake Facebook profiles of the Sun Team remain live, Forbes found. One linked to the Google Play-hosted malware once used the image of Hollywood actor Tom Cruise as his profile image, until he changed to one pilfered from a Asian engineer’s blog. Forbes couldn’t find his links to the security-focused apps on Facebook, but was able to locate his attempt to spread the ingredients application, which was posted to a hugely popular South Korean Facebook page followed by more than 640,000 people.
Facebook said it was aware of the links prior to being contacted by McAfee on Wednesday and has already taken action and notified the targets.
Once a device was infected with the malware, the attackers sought to extract everything from the Android, such as photos, text messages and call recordings, amongst other data, said Raj Samani, CTO of McAfee. All that data would be uploaded to Dropbox and Yandex accounts controlled by the hackers, who could also issue commands to the compromised Android device. Those cloud storage sites hosted data from previous Sun Team campaigns targeting Android phones, detailed by McAfee in January. In those cases, Facebook was again used to spread links to the malware, whilst the malicious software was hosted on Google’s Drive platform.
North Korea to blame?
McAfee doesn’t do attribution but it did offer some indications as to where the Sun Team came from. Within the attacker’s code was an exposed IP address that pointed back to North Korea (though the company declined to offer more specifics) and in the latest attacks the Korean writing in the description on Google Play was “awkward.”
“These features are strong evidence that the actors behind these campaigns are not native South Koreans but are familiar with the culture and language. These elements are suggestive though not a confirmation of the nationality of the actors behind these malware campaigns,” McAfee wrote in a report shared with Forbes ahead of publication.
The revelations about the Android attacks comes just a week after Forbes revealed North Korea-linked hackers were, for the first time, actively developing spyware aimed at Apple iPhones. Previously, McAfee found the Lazarus Group, believed to have perpetrated the 2014 Sony Pictures hack that was attributed to North Korea, had copied apps from Google Play to launch attacks outside the market.
Regardless of their success rate, the North Korean regime’s hackers have continued to up their smartphone espionage operations in earnest. If the peaceful relations don’t last – made more possible by North Korea’s threat to cancel talks with Donald Trump earlier this month – expect the attacks to continue.