DocSwap Mobile Malware
Staying alert to evolving mobile threats is essential, as state-linked actors continue to refine social engineering and malware delivery techniques. A recent campaign attributed to the North Korean group Kimsuky highlights how attackers are blending phishing, QR codes, and trojanized Android apps to compromise victims' devices.
Table of Contents
Kimsuky’s Latest Android Campaign Uncovered
Security researchers have linked Kimsuky to a fresh operation distributing a new Android malware variant known as DocSwap. The campaign abuses phishing websites impersonating the well-known Seoul-based logistics company CJ Logistics, previously called CJ Korea Express. These fake pages are designed to appear trustworthy and target users expecting shipment-related notifications.
QR Codes and Fake Alerts as Infection Vectors
The attackers rely heavily on QR codes and deceptive notification pop-ups to entice users into installing malicious applications. When accessed from a desktop system, the phishing page displays a QR code that prompts the visitor to scan it with an Android device. This redirection technique pushes the victim toward installing what is presented as a shipment tracking or security verification app.
To further the deception, the phishing page runs a tracking PHP script that inspects the browser's User-Agent. Based on this check, users are shown messages urging them to install a so-called security module, supposedly required to comply with 'international customs security policies.' This narrative is intended to justify the installation request and lower suspicion.
Bypassing Android Security Warnings
Because Android restricts installations from unknown sources and displays prominent warnings, the threat actors falsely claim that the app is an official and safe release. This social engineering tactic pressures victims into ignoring built-in protections and proceeding with the installation despite the alerts.
Malicious APK Delivery and Execution Chain
If the victim agrees, an APK named SecDelivery.apk is downloaded from the server at 27.102.137.181. Once launched, this package decrypts an encrypted APK embedded within its own resources. Before activating the payload, it verifies that it has obtained permissions to manage external storage, access the internet, and install additional packages.
After permissions are confirmed, the malware registers a service identified as com.delivery.security.MainService and immediately launches an activity posing as an OTP-based identity check. This fake authentication screen requests a delivery number, which is hard-coded in the APK as 742938128549 and is likely supplied to victims during the initial phishing step.
Deceptive Authentication and Silent Compromise
Upon entering the delivery number, the app generates a random six-digit verification code and displays it as a notification. The user is then prompted to input this code, reinforcing the illusion of a legitimate security process. Once completed, the app opens a WebView pointing to the genuine CJ Logistics tracking page, making the activity appear authentic.
Meanwhile, the malicious component silently connects to an attacker-controlled command-and-control server at 27.102.137.181 on port 50005. From this point, the newly deployed DocSwap variant operates as a full-featured remote access trojan.
Remote Access Capabilities and Data Theft
The malware is capable of receiving dozens of commands from its operators, enabling extensive surveillance and control over the infected device. Its functionality includes the ability to log user input, monitor communications, and extract sensitive personal data, turning the compromised smartphone into a powerful espionage tool.
Trojanized Apps and Expanded Distribution
Beyond the fake delivery app, researchers identified additional malicious samples masquerading as a P2B Airdrop application and a compromised version of a legitimate VPN product, BYCOM VPN. The genuine VPN app is available on Google Play and is developed by the Indian company Bycom Solutions. Analysis indicates that Kimsuky injected malicious code into the legitimate APK and repackaged it for use in the campaign.
Phishing Infrastructure and Credential Harvesting
Investigation into the supporting infrastructure revealed phishing websites imitating popular South Korean platforms such as Naver and Kakao. These sites are designed to steal user credentials and show overlaps with earlier Kimsuky operations that specifically targeted Naver users, suggesting reuse and expansion of established infrastructure.
Evolving Malware Design
While the deployed malware still launches a RAT service similar to previous Kimsuky tools, it demonstrates notable evolution. The use of a new native decryption function for the embedded APK and the inclusion of multiple decoy behaviors indicate ongoing development and an effort to evade detection while increasing effectiveness.
