North Korea behind data-stealing Android apps promoted to defectors via Facebook, claims McAfee

'RedDawn' data filching apps in Google Play targeting North Korean defectors the work of 'Sun Team', rather than Lazarus

McAfee has pointed the finger of blame at hackers linked with North Korea for a trio of data-stealing Android apps that appeared in the Google Play store between January and March this year.

According to the McAfee researchers, the apps were intended to target North Korean defectors to South Korea - numbering more than 30,000 in 2016 - in a campaign it has dubbed ‘RedDawn'.

Two of the apps purported to be security utilities, while a third provided information about food ingredients. However, they all contained similar hidden functions that enabled them to surreptitiously exfiltrate personal information, including text messages, contacts and photos.

The apps were promoted to particular targets via Facebook, McAfee claims. However, it adds that the malware was not the work of the well-known Lazarus Group, but another North Korean hacking outfit that has been dubbed Sun Team.

The apps were called Food Ingredients Info, Fast AppLock and AppLockFree.

"Food Ingredients Info and Fast AppLock secretly steal device information and receive commands and additional executable (.dex) files from a cloud control server. We believe that these apps are multi-staged, with several components.

"AppLockFree is part of the reconnaissance stage, we believe, setting the foundation for the next stage unlike the other two apps. The malwares were spread to friends, asking them to install the apps and offer feedback via a Facebook account with a fake profile promoted Food Ingredients Info," according to McAfee security researcher Jaewon Min.

However, he continued, the Sun Team malware authors had made it relatively straightforward to link them to the malicious apps. "After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks.

"From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January. The logs had a similar format and used the same abbreviations for fields as in other Sun Team logs. Furthermore, the email addresses of the new malware's developer are identical to the earlier email addresses associated with the Sun Team."

In addition, the authors used Korea words "not in South Korean vocabulary" and exposed an IP address that points to North Korea.

And that isn't the only evidence of the carelessness and inexperience of the authors, claimed Min.

"We uncovered information about the attacker's Android test devices and exploits they tried to use…

"The exploits code were found uploaded on one of the cloud storages used by Sun Team, which are modified versions of publicly available sandbox escape, privilege escalation, code execution exploits that added functions to drop their own Trojans on victims' devices.

"The modified exploits suggest that the attackers are not skilful enough to find zero days and write their own exploits."