Researchers from security company, McAfee have said that a team of hackers linked to North Korea recently “hosted at least three Android apps” on Google Play which were intrinsically designed to clandestinely steal personal information from defectors of the isolated regime.
The three apps first appeared on Google Play in January and weren’t removed until Google was privately notified in March. According to a blog post published by researchers at McAfee this week, while two of those apps masqueraded as security apps, the third one disguised itself to provide information about food ingredients.
The three malicious apps had hidden functions that could steal device information and receive additional executable code that stole contact lists, personal photos, and text messages. Before they were removed by Google, the apps had accrued around 100 downloads.
The malicious apps were spread to select individuals by using Facebook as the preferred medium to contact them. As is the case, nation-operated espionage campaigns usually infect a small number of meticulously selected targets to evade detection.
Interestingly, in January 2018, McAfee had reported to have found some malicious apps targeting North Korean journalists and defectors through a North Korean IP address in a test log file of Android devices connected to the accounts for spreading the malware.
Since McAfee couldn’t establish the developers’ connection to any previously known hacking groups at the time, they named the group “Sun Team” after coming across a deleted folder called “sun Team Folder.”
Moreover, the three apps McAfee reported this week contained the same developer email address used for the apps reported in January alluding to the fact that the same developers were responsible for their creation. Even the logs for the newly detected apps used the same abbreviations for various fields and similar formats as the apps reported in January.
Earlier, speculation was rife that this attack could be the handiwork of Lazarus, the notoriously “advanced persistent threat group” (also suspected to be linked to North Korea) that is credited with the infamous 2014 breach of Sony Pictures that wiped almost one TB worth of data.
It also carried out an $81 million heist of a Bangladeshi bank in 2016, and unleashed the WannaCry worm (second attribution), which affected businesses, hospitals, and train stations globally.
However, according to an email from McAfee Chief Scientist Raj Samani, “the company researchers right now believe the Sun Team is probably a separate group from Lazarus. The researchers have based their assessment on different methods used in their campaigns.”
Mr. Samani also said “it could be possible that Lazarus and the Sun Team may ultimately prove to be more connected contrary what the current evidence establishes. But, based on the language found in the Android apps, the McAfee researchers have strong apprehensions that the Sun Team is based out of North Korea.”