Posted on May 18, 2018 at 2:17 PM
North Korean Hackers Infect Defectors via Facebook and Google Play
A new report published by McAfee researchers claims that Google Play hosted three, or possibly more, Android apps that were used by hackers to steal users’ personal data. Hackers are believed to be tied to North Korea.
Researchers found new malicious apps on Google Play
According to McAfee researchers, three apps were discovered on Google Play that had the potential to steal North Korean users’ personal data. Two of the apps were disguised to look as security apps, while the last one looked like a tool for retrieving information regarding food ingredients. McAfee’s blog post published this Thursday claims that the apps have been in the marketplace from January to March 2018.
According to the report, not only were the apps capable of stealing the data of the devices, but they could also take personal text messages, photos, as well as contact lists via an executable code. It would seem that they were spread in a way that allowed them to infect specific individuals via Facebook. By the time Google discovered them and removed them from the Play Store, they already had over 100 downloads. Due to their infiltration on the devices of carefully selected targets, it is believed that the apps were a part of a Nation-operated campaign involving espionage.
The campaign is similar to those discovered before
McAfee issued a report last November that states that the firm’s researchers discovered malicious Android files with backdoors that allowed hackers to infiltrate users’ devices. According to them, the backdoors had a lot of similarities with those used by Lazarus group, which is a hacking unit from North Korea. The group was credited with many attacks, which is why researchers have been tracking them for years now. They were allegedly involved with the Sony Pictures breach in 2014, as well as multiple attacks on various financial institutions like the bank of Bangladesh in 2016.
Apart from that, the group is also suspected to be the party responsible for letting the WannaCry worm on the loose. WannaCry infected businesses, train stations, hospitals, and many other institutions all around the world last year. Obviously, researchers had a lot of material for studying this groups method of attacking. This is why they managed to recognize the same seed used for generating encryption keys in the backdoors of the files reported in November.
Another report from this firm came in January of this year when they reported the discovery of several infected apps that seemed to be targeting defectors and journalists from North Korea. This was established thanks to several words that were found in the servers, and which are not used in South Korea. North Korea did use them, which is what led researchers come to this conclusion. Additionally, they also uncovered an IP address belonging to North Korea in one of the test log files found on Android devices that were connected to malicious accounts.
One of the folders found on these accounts was called “Sun Team Folder”, and so the group was named the Sun Team, due to failure to connect them to other, already-existing groups.
The same group might be responsible this time as well
Finally, we come to the three apps reported on Thursday. McAfee claims that they have the same developer email address as the apps found in January. Because of this, it is believed that the same group is responsible for both groups of apps. The apps also share a connection in the form of similar format, and the three new ones have Korean writing in their descriptions.
Raj Samani, Chief Scientist of McAfee, believes that the Lazarus group and the Sun Team are different entities. He concluded this due to differences in their campaign methods. He, of course, left the possibility that there might be a connection between them, but it cannot be proved presently. What the researchers did manage to establish is that the Sun Team is probably based in North Korea, due to the specific language used in the description of the apps. However, even this evidence is only suggestive, but it doesn’t allow complete confirmation.