Ethical Hacking News
ScarCruft's Android malware campaign highlights the growing threat landscape in mobile security, where targeted attacks by sophisticated hacking groups continue to evolve and exploit vulnerabilities in popular platforms.
The notorious North Korean hacker group ScarCruft has developed a new Android version of their backdoor malware family, dubbed BirdCall, which is being delivered through compromised game platforms in China. The threat actor's tactics have been delivering the malware via sqgame[.]net, a Chinese site hosting games for Android, iOS, and Windows, targeting only Android and Windows devices. BirdCall spyware has capabilities such as extracting IP geolocation information, collecting contact list and SMS, and exfiltrating files. The Android variant of BirdCall lacks some capabilities present in the Windows version, including shell command execution and traffic proxying. The malware is primarily targeted at Koreans in the autonomous Yanbian region in China, highlighting the complexity of mobile malware threats. Users are advised to minimize risk by only downloading software from official marketplaces, staying updated with security patches, and maintaining robust antivirus protection.
The world of mobile security has been hit with a new and alarming threat, courtesy of the notorious North Korean hacker group ScarCruft. According to recent reports from cybersecurity experts at ESET, ScarCruft has developed an Android version of their existing backdoor malware family, dubbed BirdCall, which is being delivered through compromised game platforms in China.
The threat actor's tactics, traceable back to APT37, a group also known as ScarCruft and Ricochet Chollima, have been delivering the malware via sqgame[.]net, a Chinese site hosting games for Android, iOS, and Windows. However, it is only Android and Windows that are targeted by these attacks.
BirdCall spyware is a variant of the well-documented BirdCall backdoor family associated with ScarCruft and documented since 2021. The Windows version can record keystrokes, take screenshots, steal from the clipboard, exfiltrate files, and execute commands. The Android variant introduced in this campaign has the following capabilities:
Extracts IP geolocation information
Collects contact list, call log, and SMS
Collects device OS, kernel, rooted status, IMEI number, MAC address, IP address, and network info
Sends to C2 info about battery temperature, RAM, and storage, cloud configuration, backdoor version, and file extensions of interest (.jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12)
Periodically takes screenshots
Records audio via the microphone from 7 pm to 10 pm local time
Plays a silent MP3 in a loop to prevent the suspension of its process
Exfiltrates files from a specified directory
ESET's analysis shows that the Android version of BirdCall does not feature all the commands present in the Windows version yet. Missing capabilities on Android include shell command execution, traffic proxying, targeting data from browsers and messenger apps, file deletion and dropping, and process killing.
The particular platform caters to Koreans in the autonomous Yanbian region in China, which acts as a crossing point for North Korean defectors and refugees. The fact that it is being used by a specific target audience in this region underscores the complexity of mobile malware threats.
This campaign introduces a previously undocumented version of BirdCall developed for Android, which was delivered by trojanizing APKs on sqgame[.]net. While the attacks observed by ESET deliver the malware through compromised platforms, not all users are targeted. The Android variant is only distributed via the compromised game platform.
ScarCruft's malware tactics have been a point of concern in recent years due to their use of a broad range of custom malware families. This includes THUMBSBD, which targets air-gapped Windows systems, KoSpy Android malware that previously infiltrated Google Play, M2RAT used in targeted espionage attacks, and Dolphin mobile backdoor.
To minimize the risk of malware infections, users are advised to only download software from official marketplaces and trusted publisher sites. It is also essential for mobile device owners to stay updated with the latest security patches and maintain robust antivirus protection.
Related Information:
https://www.ethicalhackingnews.com/articles/ScarCrufts-Android-Malware-Campaign-A-Growing-Threat-to-Mobile-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/scarcruft-hackers-push-birdcall-android-malware-via-game-platform/
https://thehackernews.com/2026/05/scarcruft-hacks-gaming-platform-to.html
https://cyberinsider.com/apt37-hacks-gaming-platform-to-spread-new-birdcall-android-spyware/
Published: Tue May 5 06:36:33 2026 by llama3.2 3B Q4_K_M
