← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.850
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
ScarCruft (APT37), a North Korean state-sponsored threat group, compromised a Korean-language gaming platform to distribute BirdCall, a surveillance-grade Android malware targeting ethnic Koreans in China, including North Korean defectors. The malware collects audio recordings, contacts, SMS messages, location data, and files from infected devices. While the immediate target population is specific, the supply chain delivery method and the actor's history of expanding operations warrant attention from any organization with Android device exposure or connections to Korean diaspora communities.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Probably, if you are an ethnic Korean living outside North Korea and you downloaded a Korean-language game from an unofficial app store.
🔓
What got out
Suspected: Your phone calls and audio may have been recorded.
Suspected: Your contacts and text messages may have been copied.
Suspected: Your location may have been tracked continuously.
✅
Do this now
1 Delete any Korean-language game apps you downloaded from outside the official Google Play store. 2 Check your phone's app permissions and remove microphone, contacts, and location access from unfamiliar apps. 3 Run a security scan using a trusted mobile security app to check for harmful software.
👀
Watch for these
Your phone battery draining faster than normal for no clear reason.
Unexpected data usage spikes, especially overnight or when the phone is idle.
Contacts or people you know receiving strange messages that appear to come from you.
🌱
Should you worry?
This threat is targeted, it is aimed specifically at ethnic Koreans in China, especially people who left North Korea. If that does not describe you, your risk is very low. If it does describe you, treat this seriously and remove unfamiliar apps now.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
ScarCruft, APT37
TTP Sophistication
HIGH
8 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Android devices; users of compromised Korean-language gaming platform (specific platform name unconfirmed without direct source access)
Are You Exposed?
⚠
Your industry is targeted by ScarCruft, APT37 → Heightened risk
⚠
You use products/services from Android devices; users of compromised Korean-language gaming platform (specific platform name unconfirmed without direct source access) → Assess exposure
⚠
8 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A surveillance-capable implant delivered via a compromised software distribution channel represents a supply chain integrity failure — the kind that bypasses traditional perimeter controls because the malware arrives inside a trusted application. For organizations employing individuals with Korean diaspora ties or connections to North Korean defector support communities, the risk of targeted personnel surveillance is direct. More broadly, this campaign demonstrates that nation-state actors are actively using mobile supply chain compromises, a delivery method that most enterprise mobile security programs are less mature in detecting than desktop equivalents.
You Are Affected If
Your organization has managed Android devices used by employees with Korean diaspora community connections or defector support work
Managed Android devices in your fleet allow sideloading or installation of APKs from sources outside Google Play or your approved enterprise app store
Your MDM or UEM does not enforce app source restrictions or does not flag applications with concurrent microphone, contacts, SMS, and location permissions
Your mobile threat defense solution lacks current ScarCruft or BirdCall signatures or is not deployed on all managed Android endpoints
Your organization operates in regions or sectors historically targeted by ScarCruft, including government, defense, media, or human rights organizations with Korean peninsula focus
Board Talking Points
North Korea's APT37 group compromised a gaming app distribution platform to silently surveil targeted individuals through their Android phones, collecting calls, messages, and location data.
Security teams should immediately verify that company-managed phones cannot install unauthorized apps and that mobile threat defenses are current — within the next 48 hours.
Organizations that take no action on mobile device controls leave employees potentially exposed to covert surveillance by a nation-state adversary with no visible sign of compromise.
Technical Analysis
ScarCruft (also tracked as APT37, Reaper) executed a supply chain compromise against an unconfirmed Korean-language Android gaming platform, trojanizing game applications to deliver BirdCall malware to targeted Android devices.
BirdCall capabilities reported across secondary sources include: audio recording, SMS and contact harvesting, GPS location tracking, and file exfiltration.
The attack chain leverages compromised legitimate distribution infrastructure (T1195.002 , Compromise Software Supply Chain) to bypass user trust barriers, with the trojanized APK serving as the initial access vehicle.
Post-installation behaviors map to: T1636.002 (Contact List), T1636.003 (SMS Messages), T1430 (Location Tracking), T1533 (Data from Local System), T1437 (Application Layer Protocol for C2), T1418 (Software Discovery), and T1571 (Non-Standard Port). Relevant weaknesses include CWE-267 (Privilege Defined with Unsafe Actions), CWE-494 (Download of Code Without Integrity Check), and CWE-441 (Unintended Proxy/Intermediary). No CVE is assigned; no patch is applicable given the supply chain delivery model. Attribution to ScarCruft is assessed at high confidence based on TTP and tooling consistency with prior campaigns. Technical capability detail is medium confidence; this assessment draws exclusively from secondary news reporting (Tier 3 outlets). No primary threat intelligence report, CISA advisory, or vendor ATR was consulted. Verify technical specifics and IOCs against primary threat intelligence sources before operationalizing detections.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate immediately to senior IR leadership and legal counsel if any device forensic image confirms BirdCall exfiltration of audio recordings, SMS content, or location data belonging to employees who are North Korean defectors, support defector organizations, or have documented cross-border operations — this constitutes both a targeted nation-state surveillance incident against a protected population and a potential PII breach requiring regulatory notification assessment.
1
Step 1: Containment — Enforce MDM policy to block sideloading and restrict APK installation to approved sources only on all managed Android devices (Cite: AC-19 / CIS 2.3 / D3-UAP). Block known ScarCruft C2 network destinations at the mobile network segment perimeter using current threat intelligence (Cite: AC-4 / CIS 4.5).
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SC-7 (Boundary Protection)
NIST CM-7 (Least Functionality)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 4.5 (Implement and Manage a Firewall on End-User Devices)
Compensating Control
Pull current ScarCruft C2 IOCs from MISP, OpenCTI, or AlienVault OTX (search tag 'APT37' or 'ScarCruft'); push those IPs/domains as deny rules to your perimeter firewall or pfSense ACL immediately. For MDM-less environments: distribute a signed Android Enterprise Device Policy app config or use ADB in restricted mode — run 'adb shell settings put global install_non_market_apps 0' on each enrolled device, then confirm with 'adb shell settings get global install_non_market_apps'. Document the timestamp and device IDs touched.
Preserve Evidence
BEFORE blocking, capture full NetFlow or firewall session logs from the mobile device network segment (Wi-Fi SSID or MDM-reported IP range) for at least 30 days back, focusing on outbound connections over non-standard ports (per MITRE T1571) to IP ranges associated with ScarCruft infrastructure. Preserve MDM enrollment records and device check-in timestamps for all Android assets to establish which devices were online during the compromise window of the gaming platform distribution. If a mobile threat defense (MTD) agent is deployed, export raw event logs before any policy push to prevent log rotation.
2
Step 2: Detection — Query MDM and UEM telemetry for Android devices with applications installed outside approved channels; flag Korean-language gaming apps requesting microphone, contacts, SMS, location, and storage permissions concurrently (Cite: AU-2 / AU-6 / CIS 8.2). Review network logs from mobile device segments for outbound traffic on non-standard ports consistent with T1571 (Cite: AU-3 / CIS 4.2). Alert on bulk SMS read events, rapid contact enumeration, or high-frequency GPS polling outside foreground app usage patterns consistent with T1636.002, T1636.003, and T1430 (Cite: AU-6 / D3-LAM).
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST IR-5 (Incident Monitoring)
NIST AU-2 (Event Logging)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Export MDM app inventory reports (Google Workspace endpoint management or Microsoft Intune free tier both expose installed app lists) and diff against your approved app allowlist — flag any APK with a package name not present in Google Play at the time of install or with an install source of 'com.android.packageinstaller' (sideload indicator). For network detection without SIEM: use Wireshark or Zeek on the mobile VLAN uplink and write a display filter for 'tcp.port != 80 && tcp.port != 443 && ip.src == [mobile_subnet]' to surface T1571 traffic. For permission abuse: pull Android bug reports via 'adb bugreport' and grep for 'RECORD_AUDIO', 'READ_SMS', and 'ACCESS_FINE_LOCATION' grant events correlated to the BirdCall package name once identified.
Preserve Evidence
Capture Android device bug reports ('adb bugreport <device>') for any device that visited or downloaded from the compromised Korean-language gaming platform — these contain the runtime permission grant history, installed package list with install timestamps and sources, and battery/network usage stats per app that will show BirdCall's audio recording and location polling behavior. Extract MDM app installation logs filtered to the timeframe of the supply chain compromise window. Pull network proxy or DNS logs for queries to newly registered domains or domains using Korean-language TLDs (.kr) from mobile device IPs, which ScarCruft has historically used for C2 staging (MITRE ATT&CK T1583.001 — Acquire Infrastructure: Domains).
3
Step 3: Eradication — Remove all identified BirdCall-infected applications from enrolled devices; cross-reference installed app inventory against unauthorized software list (Cite: CIS 2.1 / CIS 2.3). Revoke device credentials and re-enroll clean devices where infection is confirmed; rotate all credentials accessible from affected devices (Cite: AC-2 / D3-CRO). Update mobile threat defense signatures for BirdCall indicators as released by your MTD vendor (Cite: CIS 7.2 / CIS 7.4).
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-3 (Malicious Code Protection)
NIST IA-3 (Device Identification and Authentication)
CIS 2.3 (Address Unauthorized Software)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
For teams without enterprise MTD: build a YARA rule targeting BirdCall's known characteristics — focus on strings associated with audio exfiltration routines, SMS harvesting classes, and APT37's reuse of obfuscation patterns documented in prior ScarCruft Android tools (RambleOn, Chinotto). Deploy via MobSF (open source) for static analysis of APKs on enrolled devices where you can extract the APK using 'adb shell pm path <package_name>' then 'adb pull <path>'. Perform factory reset on confirmed-infected devices rather than attempting app-only removal — BirdCall-class surveillanceware has demonstrated persistence via accessibility service abuse (MITRE T1626) that survives simple uninstall on some Android versions. Revoke any MDM device certificates via your MDM admin console before re-enrollment.
Preserve Evidence
BEFORE wiping or removing the application, forensically image the device using UFED, Cellebrite UFED4PC, or the open-source Android Backup Extractor targeting '/data/data/<BirdCall_package_name>/' to preserve SQLite databases containing harvested SMS records, contact dumps, and audio file staging directories. Capture a full copy of the device's '/proc/net/tcp' and '/proc/net/tcp6' to document active C2 socket connections at time of eradication. Export the Android Logcat buffer ('adb logcat -d > device_logcat.txt') before any removal action to preserve runtime evidence of BirdCall's collection behavior including file access patterns and network calls.
4
Step 4: Recovery — Validate managed Android fleet shows no residual C2 beacon activity post-remediation by reviewing mobile segment network logs (Cite: AU-6 / CIS 8.2). Confirm MDM policy enforcing approved-source-only app installation is applied and reporting compliance across all enrolled devices (Cite: AC-19 / CIS 2.3). Verify credentials rotated from affected devices are fully replaced and prior credentials are invalidated (Cite: AC-2 / D3-CRO).
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST IA-5 (Authenticator Management)
NIST CM-6 (Configuration Settings)
NIST AU-12 (Audit Record Generation)
CIS 5.2 (Use Unique Passwords)
CIS 6.2 (Establish an Access Revoking Process)
Compensating Control
Validate C2 silence by monitoring your perimeter firewall deny logs and DNS RPZ block logs for 14 days post-remediation, specifically watching for any queries or connection attempts to the ScarCruft IOC list you blocked during containment — any hit after eradication indicates reinfection or a missed device. For credential rotation without an enterprise PAM tool: generate a prioritized list from the recovered device's contact database backup (from forensic image) and email account linked to the device, then force password reset via your identity provider admin console (Google Workspace Admin or Microsoft Entra ID); enable login audit logging before rotation so you can detect any in-progress account takeover using the stolen credentials. Confirm MDM compliance reporting shows 'Unknown sources: Disabled' for 100% of enrolled Android devices.
Preserve Evidence
Run a final MDM compliance report and export it as timestamped evidence that all previously non-compliant devices are now enrolled and policy-compliant; this serves as the recovery baseline. Query DNS resolver logs (Pi-hole, Cisco Umbrella free tier, or ISP logs) for 14 days post-remediation for any queries matching the ScarCruft C2 domain list — a hit indicates either a missed infected device or an attacker pivoting from stolen credentials. Document all accounts that had authenticated sessions on affected devices during the compromise window, as BirdCall's credential and contact harvesting capability (MITRE T1636 — Protected User Data: Contact List) means those third parties may also require notification.
5
Step 5: Post-Incident — Review and update mobile device management policy to formally restrict third-party APK installation and define app vetting requirements; document as part of the secure configuration process (Cite: AC-1 / AC-19 / CIS 4.6). Assess whether personnel with access to sensitive data have adequate mobile endpoint controls enforced, including least privilege app permissions (Cite: AC-6 / D3-UAP). Evaluate whether ScarCruft targeting criteria — Korean diaspora connections, defector support, cross-border operations — intersects with your organization's personnel profile; update threat model accordingly (Cite: CIS 7.1). Ensure asset inventory includes all managed mobile devices to support future detection and response (Cite: CIS 1.1).
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST RA-3 (Risk Assessment)
NIST PM-12 (Insider Threat Program)
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory)
CIS 5.1 (Establish and Maintain an Inventory of Accounts)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Conduct a personnel profile review using only HR-approved data: identify employees with Korean-language proficiency, ties to North Korean defector support organizations, or roles involving cross-border operations into China — this mirrors ScarCruft's documented targeting of ethnic Koreans abroad and North Korean defector communities, and should inform tiered mobile security controls for those individuals. For policy gap assessment without a GRC tool: create a simple spreadsheet comparing your current MDM policy settings against the CIS Benchmark for Android (available free at cisecurity.org) and score each gap by data sensitivity of the employees affected. Submit findings as a formal lessons-learned memo referencing this incident, per NIST 800-61r3 §4 requirements, and include recommended timeline for MDM policy hardening.
Preserve Evidence
Compile the full incident timeline from MDM enrollment logs, network firewall logs, and device forensic images collected during earlier phases into a single chronological record — this is the primary artifact for lessons-learned and any regulatory reporting. Document whether any BirdCall-exfiltrated data (audio recordings, SMS content, contact lists, location history) meets PII or sensitive personal data thresholds under applicable privacy regulations (GDPR, South Korea PIPA, or U.S. state laws) that would trigger breach notification obligations; this determination requires legal review. Retain all forensic images and log exports for a minimum consistent with your incident record retention policy (NIST AU-11) and applicable breach notification statutes.
Recovery Guidance
Post-containment, monitor all perimeter firewall and DNS resolver deny logs for ScarCruft IOCs for a minimum of 30 days, as BirdCall's supply chain delivery method means additional devices may have downloaded the trojanized APK before the compromise was detected and could activate beaconing after a delay. Verify that re-enrolled devices pass MDM compliance checks for 'Unknown sources: Disabled' and that no apps with RECORD_AUDIO, READ_CONTACTS, READ_SMS, or ACCESS_FINE_LOCATION permissions exist outside your approved application allowlist. Given ScarCruft's history of credential reuse and pivot to additional targets using harvested contact data, monitor for spearphishing activity targeting individuals whose contact information was present on any confirmed-infected device.
Key Forensic Artifacts
Android device forensic image of '/data/data/<BirdCall_package_name>/' directory: preserves SQLite databases containing staged SMS harvests, contact dumps, audio recording file references, and location logs collected by BirdCall prior to exfiltration — direct evidence of what data was taken and the exfiltration staging behavior (MITRE T1636, T1533).
Android Logcat buffer export ('adb logcat -d'): captures BirdCall runtime behavior including file system access events, permission invocations for RECORD_AUDIO and ACCESS_FINE_LOCATION, and outbound network call logs to C2 endpoints — critical for establishing the malware's collection timeline on each device.
MDM/UEM app installation telemetry: records the install timestamp, install source (sideload indicator: 'com.android.packageinstaller'), and package name of BirdCall on each enrolled device, establishing which users installed the trojanized gaming platform APK and when.
Perimeter firewall and DNS resolver logs for the mobile device network segment: documents outbound C2 beacon traffic on non-standard ports (MITRE T1571) and DNS queries to ScarCruft-associated domains, providing network-layer evidence of active infections and the exfiltration channel used by BirdCall.
Runtime permission grant history from Android bug reports ('adb bugreport'): contains a timestamped record of when BirdCall was granted RECORD_AUDIO, READ_SMS, ACCESS_FINE_LOCATION, and READ_CONTACTS permissions — establishes the moment surveillance capability became active on each device and supports timeline reconstruction for breach notification assessments.
Detection Guidance
Primary detection surfaces are MDM/UEM platforms and mobile threat defense solutions.
Detection should be grounded in the following controls and techniques from the KB.
Log Collection (AU-2, AU-3, CIS 8.2): Ensure audit logging is enabled across all managed Android endpoints and mobile network segments.
Logs must capture: application installation events with source attribution, permission grant events, outbound network connection metadata, and SMS/contact access events. AU-3 requires records to establish what occurred, when, where, and who was involved — apply this standard to mobile telemetry.
Behavioral Indicators to Monitor (AU-6, D3-LAM):
1. Android applications installed outside approved app store channels, particularly Korean-language gaming apps with concurrent microphone, contacts, SMS, location, and storage permission requests — maps to T1418 (Software Discovery) and T1195.002 (Compromise Software Supply Chain).
2. Outbound network traffic from mobile device segments on non-standard ports — maps to T1571 (Non-Standard Port). Flag at the network perimeter per AC-4 and CIS 4.5.
3. Processes with simultaneous microphone, contacts, and SMS permissions active outside normal usage hours — maps to T1636.002 (Contact List) and T1533 (Data from Local System).
4. Bulk SMS read events or rapid contact enumeration on Android endpoints — maps to T1636.002 and T1636.003 . Monitor via MDM telemetry; alert using AU-6 review cadence.
5. High-frequency GPS polling inconsistent with foreground app usage — maps to T1430 (Location Tracking). D3-LAM applies for local account and process-level behavioral analysis where supported.
Network-Layer Detection (AC-4, CIS 4.5, D3-PBWSAM): Implement proxy-based web server access mediation (D3-PBWSAM) on mobile egress paths to inspect and log outbound application traffic. Apply default-deny firewall rules on mobile segments per CIS 4.5, and log all denied connection attempts per AU-2.
File and App Integrity (CIS 2.1, D3-FMBV, D3-SFA): Cross-reference installed application inventory against the authorized software list (CIS 2.1). Use file magic byte verification (D3-FMBV) where MDM tooling supports it to flag APKs with mismatched headers. Monitor system configuration files on enrolled devices for unauthorized modification (D3-SFA).
IOC Status: No hashes, domains, or IP addresses are confirmed from secondary reporting at this time. Pull current BirdCall and ScarCruft IOC sets from CISA, your vendor ATR subscription, or applicable ISAC feeds. Cross-reference IOCs against mobile telemetry as they become available. AU-13 (Monitoring for Information Disclosure) supports open-source monitoring for newly published ScarCruft indicators.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 domain
Type Value Enrichment Context Conf.
⌘ DOMAIN
[not available — no confirmed IOCs extractable from secondary sources at this time]
VT
US
BirdCall C2 infrastructure — pull current indicators from threat intelligence platform or ISAC feeds; do not operationalize unverified values
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
No IOCs or MITRE techniques available for query generation.
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "[not available \u2014 no confirmed IOCs extractable from secondary sources at this time]",
"source": "SCC Threat Intel",
"description": "BirdCall C2 infrastructure \u2014 pull current indicators from threat intelligence platform or ISAC feeds; do not operationalize unverified values",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-19T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1636.002
T1437
T1418
T1195.002
T1533
T1636.003
+2
CM-7
SA-9
SR-3
SI-7
CM-3
SR-2
MITRE ATT&CK Mapping
T1437
Application Layer Protocol
command-and-control
T1418
Software Discovery
discovery
T1195.002
Compromise Software Supply Chain
initial-access
T1533
Data from Local System
collection
T1430
Location Tracking
collection
T1571
Non-Standard Port
command-and-control
Guidance Disclaimer
