A new variant of Android malware, named DocSwap, has been identified as part of a campaign linked to North Korean threat actors. This malware is distributed through QR codes embedded in phishing sites disguised as the logistics company, CJ Logistics, based in Seoul.
Malware Distribution Method
Threat actors have employed QR codes and pop-up notifications to deceive victims into downloading a fake delivery tracking or security module app, namely SecDelivery.apk. This trojanized app requests multiple permissions, such as storage, internet access, and package installation. It operates by downloading and decrypting an embedded payload, registering a delivery service component, and launching an authentication process similar to OTP systems.
Upon installation, DocSwap becomes capable of keystroke logging, audio capture, and much more, while masquerading as a legitimate CJ Logistics tracking page visible to the victim.
Capabilities and Implications
According to ENKI, a South Korean cybersecurity firm, the malware showcases advanced techniques, including dynamic decryption of internal resources and adopting diverse evasive tactics. The scope of its operations is broadened by its ability to exfiltrate sensitive data like SMS, call logs, and contacts.
DocSwap seems to be a part of broader phishing schemes targeting Korean platforms, utilizing fake pages of well-known services such as Naver and Kakao to gather credentials. Additionally, it has been found disguised as legitimate apps, such as a P2B Airdrop application and a compromised VPN service, signaling a trend towards sophisticated app repackaging tactics.
