NK hackers use fake Facebook accounts to lead defectors to malware in Google Play

North Korea's upcoming talks with the US may be a sign it is opening up but the hermit kingdom isn't willing to let its people off the hook just yet.

Sun Team, a hacking group thought to be loyal to the hermit kingdom, is using stolen South Korean Facebook profiles and Android malware in Google Play to track defectors.

The combination of fake Facebook profiles used to spread links to malicious apps on Google Play is a refinement of previously discovered mobile attack techniques to spy on defectors.

South Korean media in January reported hackers using the messaging app KakaoTalk and fake Facebook accounts to send targets Google’s goo.gl URL shortener links, which led victims to bait apps that might be of interest to North Korean defectors and journalists. These included “Pray for North Korea” and a health care app called “BloodAssistant”.

Both apps loaded a trojan that uploaded data to and received commands from accounts on Dropbox and Yandex, according to security firm, McAfee.

McAfee analysts researching the reports discovered a folder in the Dropbox and Yandex accounts named “sun Team Folder”, leading them to call the group “Sun Team”.

After the attack was discovered, would-be defectors were encouraged to only install Android apps from Google Play. The Sun Team apparently took note of this too.

According to McAfee, the same group has now incorporated Google Play’s support for “unreleased apps” to trick victims into installing malicious apps that can siphon a user’s photos, contacts, and SMS messages.

The attackers are still using bogus Facebook accounts to spread links but instead of leading victims to a random website, victims are directed to an official part of Google Play.

The technique exploits a feature designed to help Android developers release beta apps on Google Play so that keen users can provide early feedback.

Though helpful for legitimate developers, it also helped the Sun Team use Google’s reputation to dupe targets into installing malware.

The unreleased apps on Google Play include AppLockFree and Fast AppLock, two security apps, and another health-related app called “Food Ingredients Info”. Google removed the apps after being notified by McAfee.

While each of the three apps only had 100 downloads, any North Korean defectors who installed the malicious apps would have automatically sent install requests to their contacts, potentially giving the attacker insight into their connections.

The cunning use of Google Play’s beta feature is alarming, but McAfee researchers warn biggest stolen South Korean Facebook profiles presents a bigger threat for future attacks.

“The most concerning thing about this Sun Team operation is that they use photos uploaded on social network services and identities of South Koreans to create fake accounts. We have found evidence that some people have had their identities stolen; more could follow. They are using texting and calling services to generate virtual phone numbers so they can sign up for South Korean online services,” McAfee said.

Copyright © 2018 IDG Communications, Inc.

The 10 most powerful cybersecurity companies