Three distinct Android malware variants have been seen being employed by the North Korean actor known as Kimsuky to attack consumers in its southern counterpart. According to investigations from the South Korean cybersecurity firm S2W, the malware families in question include FastFire, FastViewer, and FastSpy.
“The FastFire malware is disguised as a Google security plugin, and the FastViewer malware disguises itself as ‘Hancom Office Viewer,’ [while] FastSpy is a remote access tool based on AndroSpy,” researchers Lee Sebin and Shin Yeongjae said.
Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, is thought to have been given a global intelligence-gathering mission by the North Korean government, with a focus disproportionately on people and organizations in South Korea, Japan, and the United States. In August of last year, Kaspersky discovered a previously unknown infection chain known as GoldDragon that could install a Windows backdoor and collect data from the victim, including file listings, user keystrokes, and saved web browser login passwords.
A version of AppleSeed for Android is also known to be used by the advanced persistent threat to carry out arbitrary operations and exfiltrate data from affected devices. The most recent additions to its expanding arsenal of Android malware, FastFire, FastViewer, and FastSpy, are made to take orders from Firebase and download more payloads.
Researchers revealed that FastViewer is a repackaged APK created by adding arbitrary harmful code that an attacker injected into the legitimate Hancom Office Viewer program. The malware also downloads FastSpy as a subsequent step. These are the malicious applications in question:
- com.viewer.fastsecure (Google 보안 Plugin)
- com.tf.thinkdroid.secviewer (FastViewer)
FastViewer and FastSpy both take advantage of the accessibility API permissions on Android to carry out their spying activities. The latter automates user actions to grant itself a wide range of rights in a way similar to MaliBot. Once activated, FastSpy gives the enemy control of the targeted devices and gives them access to features including call and SMS interception, location tracking, document harvesting, keystroke logging, and recording through the phone’s camera, microphone, and speaker.
The server domain “mc.pzs[.]kr,” which was previously used in a May 2022 campaign reported as being organized by the organization to disseminate malware disguising itself as press releases relating to North Korea, is the basis for S2W’s attribution of the malware to Kimsuky.