Researchers at McAfee have now discovered new applications tied with a malicious attempt to track and steal information from North Korean defectors. While spyware isn’t uncommon in the mobile world, McAfee says this is actually the second attempt by a group it calls the “Sun Team.” Sun Team was also responsible for several applications identified earlier this year which were designed to track defectors from the country and journalists. Those were published to the Google Play Store as “Unreleased” test versions of applications. Dubbed RedDawn, the malware now includes three more applications titled 음식궁합, Fast AppLock, and AppLockFree. As with previous attempts, the group was able to be identified using patterns in Dropbox accounts tied to the downloading of malicious software by the apps and similar patterns in email addresses and Android device information. Meanwhile, familiarity with the South Korean culture was also apparent but the use of the language in that context was awkward. That suggests that the entities behind the attacks are familiar with those things but are not native South Koreans.
Facebook was also used in both this attack and the earlier one to spread the application via links sent to friends of infected parties. With regard to the apps themselves, each appears to be multi-staged but each was caught early on after only around 100 infections. 음식궁합 is a food information application, which translates loosely to Food Ingredients Info, according to McAfee. The remaining apps are tied to securing applications. The first stage is to steal information from the devices and then 음식궁합 and Fast AppLock can also both receive and execute files from a cloud server. AppLockFree appears to have only collected device information.
Although this attempt was caught and the apps removed from Google Play, it’s important to remember that the attacks could easily get worse. Up until this point, those behind the attacks have been dependent on modified versions of publicly available exploits. They have also been generating and utilizing false identities using names and photos stolen from social networks to promote the “Unreleased” apps. Given the persistence of the Sun Team, it’s likely only a matter of time before the attacks become more sophisticated. In the meantime, this recently discovered malware can be identified as Android/RedDawn.A, B by McAfee Mobile Security.