North Korean APT37 (ScarCruft) has deployed a new Android variant of its BirdCall backdoor through a trojanized game platform (sqgame[.]net) targeting Korean-speaking users in China's Yanbian region. Developed around October 2024 with at least seven versions, the Android spyware collects contacts, call logs, SMS, device info, takes screenshots, records audio during specific hours, and exfiltrates files. The Windows infection chain uses a trojanized DLL to deploy RokRAT, which then installs BirdCall. ESET researchers note the Android version lacks some Windows capabilities like shell execution and browser data theft. Users are advised to only install apps from official marketplaces.
Sort: