The attack begins with a malware-laced version of a Korean bible study app in the Google Play Store. It’s been downloaded 1,300 times. McAfee attributes the attack to Lazarus Group, which intelligence agencies in the U.S., Britain and elsewhere say is North Korean.
Google Play Store, the app market for the world’s most popular operating system, has a persistent malware issue. On Monday, anti-virus company Avast reported banking malware that avoided Google’s detection and was downloaded thousands of times.
North Korea spends significant resources on building and using cyber-capabilities. One scheme involved stealing $81 million from the central bank of Bangladesh in a heist that ran through the Federal Reserve Bank of New York in 2016. South Korea, North Korea’s chief geopolitical rival alongside the United States, is a frequent target of Lazarus Group hackers.
McAfee researchers said the malware shared multiple characteristics with desktop Lazarus malware discovered in the past, including shared attack infrastructure, code and backdoors.
McAfee attributes the malware to Lazarus Group but does not say Lazarus Group is North Korean.
“And although the debate regarding attribution of attacks will always rage, documenting evolving tactics by threat actor groups allows organizations and consumers to adapt their defenses accordingly,” wrote McAfee analysts Christiaan Beek and Raj Samani.
“We do not know if this is Lazarus’ first activity on a mobile platform,” the researchers said. “But based on the code similarities we can say it with high confidence that the Lazarus Group is now operating in the mobile world.”