North Korean cybercrime gang Kimsuky is hacking Android phones to steal data as part of a government intelligence-gathering mission which is focused on South Korea, Japan and the US, new research has revealed. Cyberattacks on smartphones are on the rise globally and could have dangerous implications for companies which allow staff to use their own devices for work purposes.
South Korean cybersecurity company S2W has released research into the gang, which it believes is sponsored by the government in Pyongyang. According to the report, the hackers are targeting individuals and companies across the public and private sectors in South Korea, Japan and the US, in a bid to gather as much intelligence as possible for North Korea.
How is North Korea targeting Android phones?
S2W has warned that Kimsuky is using three different malware families – FastFire, FastViewer and FastSpy – to access Android phones. Handsets running on the Google operating system number some three billion around the world, and are particularly popular in South Korea as it is the home of leading Android phone producer Samsung.
FastFire malware is deployed camouflaged as a Google security plugin, explain Lee Sebin and Shin Yeongjae, researchers at S2W. This approach makes sense for the targets, explains Marcus Fowler, SVP strategic engagements and threats and CEO at security vendor Darktrace Federal, which works with the US defence sector. “Kimsuky’s MO appears to be intelligence gathering and Android is the dominant device provider in South Korea, thereby offering the most opportunities for intelligence collection,” he says. “Attackers both state and non-state will always aim to maximise their return on investment and will therefore target market leaders to increase their chances of success,” he continues.
Victims could face serious consequences. “Targeting mobile phones offers personal details, communications and even geolocation for this pursuit,” says Fowler. “The targeted individual could be tracked, impersonated or even blackmailed based on what is found.”
North Korea has a long history of using cybercrime to help boost its economy as it combats an array of international sanctions. North Korean state-backed hacking gangs such as the Lazarus APT have carried out cryptocurrency heists, launched ransomware attacks and even robbed banks.
Mobile devices are popular cyberattack vector
Mobile device cyber attacks appear to be on the rise, as cybercriminals become smarter and are able to deploy automated attacks which target multiple devices at once, says Fowler. “The trend is growing but it is nothing new,” he says. “What’s changed is that attacks used to focus more heavily on specific individuals, but today, increasing automation and faster computers enable attackers to scale up their operations and conduct these widespread attacks with greater efficiency and speed,” he says.
The UK suffered 158,126 cyberattacks on mobile devices in the second quarter of this year according to research from ThreatFabric. This means it is the seventh most attacked country in the world when it comes to these kind of incidents, with Spain topping the list and the US in fifth. Neither Japan nor South Korea features in the top ten. The most common malware used during this period was Hydra, a banking trojan designed to steal credentials and gain control of the victim’s account.
Many companies allow their workers to use their own devices for work purposes, particularly since the Covid-19 pandemic and the rise of remote working. This presents a security risk as one compromised device can leave entire networks open to attack.
According to a recent report by security company Comparitech, 67% of teams use their own devices regularly for work, while 35% of employees claim they need to work around their company’s security policy to get their job done, suggesting measures to prevent attacks are being bypassed.
Implementing multi-factor authentication (MFA) on a smartphone could protect it from being attacked. According to a report by security company Digital Shadows, two-factor authentication (2FA) deals with the problem of credential theft and subsequent reuse. “2FA is used for online banking, e-commerce, social media and other platforms. So far, it’s the best defence we have against cybercriminals phishing for our credentials or coaxing them out of us through some other social engineering means,” it says.
Ironically, however, the implementation of MFA may increase the risk of the device being attacked, notes Fowler, as specific types of attacks can be launched against devices with this type of security in place. “Adopting MFA to fight credential theft might make mobile phones more attractive targets for intelligence operators looking to gain access to their targets’ accounts,” he adds.