Malicious APK files are being used to attack North Korean defectors and journalists. According to the McAfee Mobile Research team, threat actors are sending malicious links via KakaoTalk and other social network services, such as Facebook, in a targeted campaign. The links claim to connect to either something called Pray for North Korea, or BloodAssistant, which is a fake health care app.
In both cases, they redirect to a dropper mechanism.
The dropper phishes the victim to turn on the accessibility permissions, and then installs an espionage Trojan with a range of malicious functions, including saving SMS messages, contact information, GPS location, phone call logs, installed apps and contacts; it can also record phone calls. Further, the attackers can easily extend the Trojan’s malicious functionality without needing to update the whole malware.
Researcher Jaewon Min, wrote in his blog, “This malware campaign is highly targeted …and appear to want to spy on North Korean defectors and on groups and individuals who help defectors. …and the actors are familiar with South Korea.”