A sophisticated malware campaign, identified as DocSwap, has been uncovered by the S2W Threat Research and Intelligence Center Talon.
This malware is linked to a North Korean-backed Advanced Persistent Threat (APT) group and targets mobile device users, particularly in South Korea.
The malicious app disguises itself as a “Document Viewing Authentication App” (문서열람 인증 앱), first detected on December 13, 2024, and was analyzed on VirusTotal on January 21, 2025.
Technical Capabilities
DocSwap employs a multi-stage infection process, starting with the decryption of an internal “security.db” file using an XOR operation.
It then dynamically loads a DEX file, leading to malicious activities such as keylogging through accessibility services and information theft.
The malware persistently requests permissions, including access to call logs, contacts, SMS messages, and external storage.
It maintains its presence on the device by generating notifications and using the StartForeground API to remain active even after system restarts.
DocSwap communicates with a hardcoded Command and Control (C2) server, receiving instructions through a sophisticated command structure that supports 57 different commands for extensive surveillance and data exfiltration.
Threat Analysis
The attribution of DocSwap to a North Korean APT group, specifically puNK-004, highlights the evolving tactics of these threat actors in leveraging sophisticated phishing and malware techniques.
Initially, a phishing page impersonating CoinSwap was linked to the malware’s C2 infrastructure. However, recent observations show Naver’s favicon and a peculiar message, suggesting a possible connection to the Kimsuky group.
According to the Report, this development underscores the importance of vigilance among mobile users, especially when installing apps that request extensive permissions.
To protect against such threats, users are advised to be cautious with app installations, particularly those requesting accessibility permissions or claiming to be document authentication tools from uncertain sources.
Employing robust antivirus software that can detect and block sophisticated threats is crucial. Regularly updating devices to ensure the latest security patches are applied is also essential.
As cybersecurity threats continue to evolve, staying informed and taking proactive measures are key to safeguarding against these sophisticated attacks.
The collaboration between cybersecurity researchers and the broader community is vital in combating these threats and ensuring a safer digital environment.
