Kimsuky APT Boosts its Attack Capabilities with New Android Malware
A new cyberespionage operation aimed against users in South Korea was discovered to have been carried out by a threat actor organisation known as Kimsuky, which is located in North Korea. In order to compromise Android devices, the campaign makes use of three recently discovered malicious Android apps.
Regarding the recently discovered malicious software for Android
According to the results of the threat research and intelligence centre at S2W, the three new pieces of malware are referred to as FastFire, FastViewer, and FastSpy.
These malicious programmes are disguising themselves as APKs for three different utility tools that were built by the cybercriminals and are accessible on the Google Play Store.
The malicious programme known as FastViewer masquerades as Hancom Office Viewer, in contrast to FastFire, which pretends to be a Google security plugin.
The AndroSpy-derived remote access tool that is used in the distribution of FastSpy is itself based on that of AndroSpy.
The malicious software known as FastFire is presently undergoing development. In order to accept orders from C2 servers, it makes use of the Firebase app rather than HTTPS.
After obtaining information from a device that is infected with Fast Viewer, more software, including FastSpy, is downloaded into the device.
Malware known as FastSpy gives its operators the ability to monitor users' whereabouts, intercept phone conversations and text messages, grab documents, gather keystrokes, and record information from the device's camera, microphone, and speaker.
Both FastViewer and FastSpy take use of Android's accessibility API permissions in order to carry out their spying capabilities; however, only FastSpy automates the user clicks that are necessary for the app to get its comprehensive rights.
Based on overlaps with a server domain that was used in a campaign that took place in May 2022, S2W was able to attribute the malicious software to Kimsuky.
The researchers also emphasise the fact that the attackers have been making a variety of efforts to avoid detection by tweaking Androspy.
The continuous assaults by Kimsuky against people from South Korea
A previous attempt at spying on South Koreans had been made by the sinister group in the month of August.
South Korean think tanks, university academics, and government institutions were the intended victims of the assault, which was given the codename GoldDragon. In addition to this, it has spread to afflicted organisations in Europe and the United States.
The spear-phishing email that transmitted the Windows infostealer to steal user keystrokes and web browser passwords was the first link in the chain of infection that led to the infection.
The pervasive threat actor group that originates in North Korea is continually developing its standard operating procedures (SOPs) and coming up with new methods to avoid being discovered and disrupt analysis. Users are encouraged to exercise caution and read user reviews before to installing any programme since the mobile targeting approach used by Kimsuky is becoming more sophisticated. In addition to that, they are required to install the most recent software updates and anti-virus solutions on all of their devices.