Kimsuky Pushes DocSwap via QR Phishing as Delivery Apps

South Korean security firm ENKI has linked North Korea–aligned Kimsuky to a fresh mobile campaign that spreads an evolved DocSwap Android trojan through QR-code phishing pages posing as CJ Logistics. The lure persuades victims to sideload a fake parcel-tracking app that silently deploys a powerful remote access tool (RAT).

What happened

• Phishing sites impersonate CJ Logistics and likely arrive via smishing or email, urging users to track a shipment.
• A tracking PHP script checks the browser's User-Agent. Desktop visitors see a QR code to scan with an Android device; mobile visitors are pushed to install a 'security module' under 'international customs security policies.'
• Attackers try to bypass Android's unknown-sources warning by claiming the app is safe and official.

Infection chain and decoys

• The app SecDelivery.apk is delivered from 27.102.137[.]181.
• On launch, it decrypts and loads an embedded encrypted APK, then registers MainService as com.delivery.security.MainService and starts AuthActivity.
• AuthActivity fakes OTP verification: the shipment number 742938128549 is preloaded; the app generates a random six-digit code via notification and prompts the user to enter it.
• After input, a WebView opens the legitimate CJ Logistics tracking page (www.cjlogistics[.]com/ko/tool/parcel/tracking) to reinforce legitimacy while the malware activates in the background.

Permissions and RAT capabilities

• Before execution, the malware ensures it has permissions for external storage, internet access, and installing packages.
• It then connects to 27.102.137[.]181:50005 and can receive up to 57 commands, including: keylogging, microphone/audio capture, camera start/stop, file operations and command execution, upload/download, GPS/location, SMS harvesting, contacts, call logs, and enumerating installed apps.

Wider operation and tooling

• ENKI also found two additional lures: a fake P2B Airdrop app and a trojanized build of BYCOM VPN (com.bycomsolutions.bycomvpn) repackaged with malicious code.
• Related infrastructure hosts phishing pages mimicking Naver and Kakao to steal credentials, overlapping with previous Kimsuky campaigns against Naver users.
• The new DocSwap variant shows matured tradecraft, using a native function to decrypt its internal APK and improved decoy flows to maintain victim trust.

How to stay safe

• Avoid scanning unsolicited QR codes and never install apps prompted by web pages or messages.
• Verify delivery updates only via official apps or by manually navigating to known websites; avoid sideloading.
• Keep unknown-sources installation disabled, scrutinize app permissions, and use reputable mobile security tools.

Source: The Hacker News