Android, Spyware, South Korea, CCP

Android Users in South Korea targeted by spyware linked to Chinese Threat Actor

Key Takeaways

  • A China-based Threat Actor (TA) is conducting an Android Spyware campaign targeting Android users in South Korea.
  • The malware is distributed through deceptive phishing websites that pose as adult sites but actually deliver the malicious APK file.
  • Once the malware has infected the victim’s machine, it can steal a wide range of sensitive information, including contacts, SMS messages, call logs, images, audio files, screen recordings, and screenshots.
  • The malware can also interfere with incoming calls by blocking, silencing, or redirecting them based on a predefined list of blocked numbers.
  • There are indications of connections between the TA behind the malware and China, potentially linked to the Communist Party of China.
  • Additionally, the spyware contains unfinished keylogging code, suggesting it is still in development and may reappear with additional features in the coming days.


Cyble Research and Intelligence Labs (CRIL) identified a new Android Spyware campaign using VirusTotal intelligence. The campaign has been conducted by a China-linked Threat Actor specifically targeting Android users in South Korea since the beginning of July 2023.

This Android Spyware can steal sensitive information, including contacts, SMS messages, call logs, images, audio files, and even capture screenshots. This malware takes advantage of accessibility services to prevent uninstallation. Furthermore, it includes unused code that could be implemented for the keylogging feature. The presence of this unfinished feature indicates that the malware is still in development and may resurface in the future with enhanced functionalities.

We have discovered more than ten malicious applications that were distributed through the download link at hxxps://tempsstr[.]top. All of these malicious APK files establish communication with a common Command and Control (C&C) server located at hxxps://jkweb255[.]top/.

Interestingly, the download link and the C&C server share the same IP address, 103.94.235[.]26. According to the Whois record, both the download link and the C&C server are registered under the organization name of “John Wu” in Hong Kong, China.

Whois, C&C
Figure 1 – Whois Record for C&C server

Furthermore, within the malware code, there is a Chinese string “中国共产党万岁,” which translates to “long live the Communist Party of China”, suggesting a connection between the TA and China, either being highly influenced by the Communist Party of China or a supporter of the Party.

The malware also incorporates several Chinese language strings for logging purposes, further indicating that the TA has Chinese origins.

TAG, Threat Actor, China
Figure 2 – TAG used in malware indicates a connection between TA and China

Previously, APT41 has been known to focus its cyber activities on South Korea and is suspected to have affiliations with the Communist Party of China. In July, Lookout drew attention to APT41’s use of Android surveillance tools for targeting Android users. However, based on our analysis, we were unable to establish a direct connection between this TA based in China and APT41 or any other APT group.

Initial Infection

During our investigation of the APK file, we also discovered three phishing websites that appear to be adult sites but are, in fact, distributing the malicious APK file.

The phishing sites distributing malware are:

  • hxxp://shankssy[.]
  • hxxp://tephen.dothome[.]
  • hxxp://reddick1[.]
Phishing, Spyware
Figure 3 – Phishing site distributing Spyware

The UI for all the mentioned websites is identical, with added buttons for the App Store and the Play Store. However, this phishing site employs a deceptive tactic. When users click on the “App Store” button, they are redirected to the URL hxxps://efsxv[.]lmfpgl[.]com/w01vx. This URL loads a counterfeit App Store page, as depicted in the Figure 4, featuring a single “free installation” button that links to the URL hxxps://fyjrqbho[.]com/storage/apk/2023/12220829abtc.apk?e=1693747486&token=yOPFMdCdBgDA9CsYtEm_9qwn6PqUoFJ3rCmnDOxF:acbci6t4A0YZM8f9GaANfssauIA=. Although this particular URL is presently inactive, the link strongly suggests its potential for downloading an APK file.

App Store, Google Play Store, APK file, Fake App
Figure 4 – Fake app store page distributes APK file

Upon clicking the “Play Store” button, the site initiates the direct download of a malicious APK file from the URL hxxps://tempsstr[.]top/app_15.apk.

During our investigation, we couldn’t pinpoint the precise method through which these phishing sites are reaching their victims. However, we have suspicions that the TA may be employing smishing (SMS phishing) or spam emails as a means to distribute malware.

The detailed analysis of this APK file has been conducted in the below section.

Technical Analysis

APK Metadata Information  

  • App Name: Enjoy Cam
  • Package Name: com.example.middlerankapp
  • SHA256 Hash: 882fa441b584dd0fcadc7337ec5916d7afde129af9072cb67627c94c66ee4420
Application, metadata
Figure 5 – Application metadata information

Abusing Permissions

After installation, the malware’s first action is encouraging the victim to activate the Accessibility Service. Once this service is enabled, the malware requests the victim to grant permissions, allowing it to access sensitive data. It then seeks permission to capture the screen, as shown below.

Accessibility Services, Android, Spyware
Figure 6 – Malware prompts the victim to grant Accessibility Service and permissions

C&C Communication

Once the spyware successfully obtains all the necessary permissions, it initiates the process of sending sensitive data to the C&C server located at hxxps://jkweb255[.]top/api/.

The spyware transmits this stolen data to distinct API endpoints depending on the type of information, as illustrated in the figure below.

Malware, C&C, Spyware
Figure 7 – Malware sends sensitive information to the C&C server

Initially, the spyware registers the device by employing the device number as the equipment identifier and simultaneously sends location details to the C&C server hxxps://jkweb255[.]top/api/equipment/add.

Spyware, C&C
Figure 7 – Malware sends sensitive information to the C&C server

Exposed Victim’s Details

During our examination of the C&C server, we observed some of the exposed stolen data records on the server, revealing that approximately 23 infected devices had been added, excluding our test device, at the time of composing this blog post.

Exfiltrating data, Spyware, C&C, malware
Figure 9 – Exfiltrated records indicating the number of victims targeted

The table below contains the count of exfiltrated information records:

Information typeAPI endpointRecord count
Audio Recordings/audio/add5
Call logs/records/add3244

Monitoring Social Media Applications

The spyware utilizes the Accessibility Service to actively monitor the applications currently in use by the victim. When the victim interacts with specific messaging or social media applications listed below, the spyware sends the application’s package name and other data via a WebSocket connection.

When we interacted with one of the targeted apps on our test device, the spyware did not display any further activity. It appears that the spyware failed to establish a WebSocket connection at this point.

However, we suspect that the malware may be collecting the package names of social media applications, possibly to capture the victim’s conversations through features like screen recording or screenshots. Alternatively, it’s possible that this particular module is incomplete or not fully functional.

The list of targeted messaging and social media apps:

  • telegram.messenger
  • tinder
  • facebook.katana
  • whatsapp
Accessibility Service, Malware, Spyware
Figure 10 – Malware abusing Accessibility Service to monitor interaction with targeted apps

C&C server Commands

 The spyware can receive commands through a WebSocket connection, enabling it to carry out various operations such as gathering contacts, SMS messages, photos, call logs, and initiating other activities. The figure below illustrates the commands executed by the spyware.

malware, Spyware, commands
Figure 11 – Commands executed by malware

Upon receiving the command “msg_start” from the C&C server via a WebSocket connection, along with additional parameters, the spyware carries out malicious actions depending on the command’s content.

These actions include initiating and stopping audio recordings, capturing images using the target device’s camera, taking screenshots, and starting or stopping screen recording.

Figures 12 and 13 illustrate how the malware handles the initiation or termination of screen recording and the start or stop of audio recording in response to commands from the server. Following these actions, the spyware transmits the captured screen data to the C&C server.

Screen Recording, Server Command
Figure 12 – Malware initiates screen recording based on the server command
Spyware, Audio recording
Figure 13 – Malware starts Audio recording

Abusing CallScreeningService

In the Android manifest, a malicious application has registered a service named “MyCallScreeningService” that extends the Android CallScreeningService.

Developers use this service to allow or disallow incoming calls before they are displayed to the user. In this context, the spyware has implemented this service with harmful intentions.

The spyware monitors the incoming calls and extracts the caller’s phone number. It then sends this caller’s phone number to the C&C server at hxxps://jkweb255[.]top/api/blocking/view to determine if the number is listed in a database. The server responds with information about whether the number is present in its records.

If the caller’s number is found on the server’s list, the spyware takes action based on the version of the Android operating system running on the device. It may choose to disallow the call, silence it, or reject it. If the caller’s number is not present on the server’s list, the spyware allows the call to proceed as usual.

This behavior indicates that the spyware is designed to interfere with incoming calls based on a predefined list of blocked numbers obtained from the remote server.

Malware, CallScreeningService
Figure 14 – Malware abusing CallScreeningService

After examining the data exposed on the C&C server, we observed that TA had included over 28,000 mobile phone numbers in the database. Many of these phone numbers are linked to banks and lending institutions in South Korea.

The records in the figure below display the usernames corresponding to these mobile numbers associated with South Korean banks and loan agencies.

Data exposure, blocked calls
Figure 15 – Exposed data for blocked numbers

Redirecting Calls

Additionally, the spyware has incorporated a feature that allows it to redirect the victim’s incoming calls to a designated mobile number controlled by the TA. When the victim receives a call, the spyware can transmit the caller’s number to a C&C server hxxps://jkweb255[.]top/api/calltransfer/view. Subsequently, the spyware receives instructions on which number to redirect the call to.

Notably, the Spyware contains a hardcoded mobile number, “18179468360,” within its code, although it is not currently utilized for call redirection.

Spyware, Call redirection feature
Figure 16 – Call redirection feature

Based on the exposed data concerning blocked numbers, it becomes evident that the TA can redirect incoming calls selectively, focusing primarily on those originating from financial institutions. The functionality of call redirection and call screening suggests that the TA may be planning to engage in financial fraud using stolen data.

Blocking Incoming SMSs

Each time the compromised device receives an incoming SMS, the spyware transmits the sender’s phone number to the C&C server for verification. It checks whether the sender’s number is listed in the message block database maintained by the TA.

If the number is found in the TA’s database, the spyware sends the details of the text message to the server. If the number is not present in the database, the spyware adds it to the content resolver and presents the message to the victim for viewing.

Much like its call redirection functionality, this selective interception of incoming messages enables the malware to target and potentially extract sensitive information from text messages, such as OTPs or financial details. The figure below illustrates this activity.

Malware, spyware, Blocking incoming SMS
Figure 17 – Malware blocks incoming SMSs

Potential Keylogging Activity

The malware has incorporated a class named “widgetService,” which extends the Accessibility service. Within this class, there is code designed for keylogging, accomplished by exploiting the Accessibility Service. Importantly, it’s worth noting that the malware does not actively invoke this class at this time.

While the code for this module is incomplete, its presence suggests that the malware may intend to introduce new functionalities in the future.

Spyware, keylogging
Figure 18 – Potential unimplemented keylogging module


The identification of a sophisticated Android Spyware campaign targeting South Korean Android users reveals the persistent threat posed by malicious actors in the digital landscape. Orchestrated by a China-based TA, this campaign employs a deceptive strategy, luring unsuspecting users with adult-themed websites to distribute malicious APK files.

The spyware itself is a highly invasive threat, capable of surreptitiously exfiltrating a wide range of sensitive data, including contacts, SMS messages, call logs, images, and more. It also exhibits sophisticated functionalities, such as screen capturing and monitoring selected messaging and social media applications. The presence of unfinished features, like keylogging, suggests that the malware is continually evolving, posing an ongoing threat to mobile device users.

Moreover, while the data exposed on the C&C server reveals a limited number of victims thus far, the presence of the uncovered phishing sites and the existence of incomplete modules lead us to anticipate that the TA may broaden its targeting efforts in the near future.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Play Store or the iOS App Store.
  • Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
PersistenceT1624.001Event-Triggered Execution: Broadcast Receivers
Defense EvasionT1629.001Impair Defenses: Prevent Application Removal
DiscoveryT1430Location Tracking
CollectionT1429Audio Capture
CollectionT1616Call Control
CollectionT1636.003Protected User Data: Contact List
CollectionT1636.002Protected User Data: Call Log
CollectionT1636.004Protected User Data: SMS Messages
CollectionT1513Screen Capture
CollectionT1533Data from Local System
Command and ControlT1437.001Application Layer Protocol: Web Protocols
ExfiltrationT1646Exfiltration Over C2 Channel

 Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
882fa441b584dd0fcadc7337ec5916d7afde129af9072cb67627c94c66ee4420 7ff9e6178687849354a79e561c81f3c1cc179d28






Hash of analyzed APK
hxxps://jkweb255[.]top/URLC&C server




URLPhishing sites



URLMalware distribution URLs







Spyware hash




Spyware hash







Spyware hash





Spyware hash







Spyware hash







Spyware hash







Spyware hash







Spyware hash







Spyware hash







Spyware hash






Spyware hash




Spyware hash




Spyware hash




Spyware hash

Scroll to Top