North Korea-linked hackers targeted defectors with Android spyware

The surveillance apps made it to Google Play.

When Android malware slips into the Google Play Store, it's usually there to push unwanted ads or perpetuate a scam. McAfee researchers, however, have discovered something more sinister. A North Korean group nicknamed Sun Team recently posted three apps in Google Play that were used to target defectors from the authoritarian country. The attackers contacted people through Facebook in bids to have them install seemingly innocuous "unreleased" apps for food and security. When installed, the rogue apps would send contacts, photos and text messages to the intruders using Dropbox and Russia's Yandex to both upload data and send commands.

The campaign, nicknamed RedDawn, isn't Sun Team's first. McAfee spotted another initiative in January. That effort, however, required downloads outside of Google Play -- the would-be victims had to go out of their way to download the apps. This tactic might have been more convincing when many users explicitly trust Google Play and its anti-malware screening.

It's not completely certain that North Korea's government is behind RedDawn. McAfee told Ars Technica that it believed Sun Team was distinct from the state-backed Lazarus group that has been launching attacks for years. It's also unclear that the campaign was successful given that there are no publicly known infections. The targets and the purely spying-oriented nature of the code make North Korea's regime a strong candidate, though. And whoever's responsible, this is more than a little concerning. It suggests that you're not safe from politically motivated malware attacks even if you limit your app downloads to official stores.