While the North Korean propaganda site ‘Joseon Today’ is distributing mobile applications (apps), the possibility is raised that it may be malware that steals users’ information. Because North Koreans cannot access propaganda sites, there is a possibility that ordinary users were targeted.
About a month ago, ‘Joseon’s Today’ opened a link to download mobile applications from their website. If you click the link, the compressed file is downloaded and there is an Android application package (APK) inside.
After uploading the file to Joe sandbox, an online site for detailed malicious code analysis, it was judged to be malicious and was identified as ‘Evador’. This means that it was created in the form of an evasion app to keep the fact that it is performing malicious actions as undetected as possible.
An Android app requires a public key certificate for development. It contains information such as the developer’s name, affiliation, email address, and a digital signature created with the private key of the certification authority. However, in the Today of Chosun app, information about developers and certification bodies is unclear. That said, it’s unclear who developed the app and where it was certified as safe.
In addition, the app asks the user for cell phone information, external storage read permission, Internet use permission, Wi-Fi status change information, and Bluetooth permission.
In Android apps, such a permission request is common to create an execution environment. However, caution is needed in that personal information can be leaked to unknown developers or people closely related to North Korea.
If the user grants the permission to access the mobile phone information requested by the app, the user can know the phone number, voice call and data communication status, and information on the carrier and network operator. Reading the external storage will give you access to the media files.
The official site for Android developers explains that if you acquire location information, you can get accuracy within 50 meters and within a few meters.
Also, when the app acquires Bluetooth-related permissions, it can start searching for devices or manipulate Bluetooth settings to track the user’s location.
According to the research analysis report, it is explained that if these functions work in combination, ‘remote device tracking without permission’, ‘wipe data remotely without permission’, and ‘get device cloud backup’ may appear.
In general, North Koreans are not able to access propaganda sites, so it seems that they are targeting site visitors from other countries. In particular, since the app does not have an English version, it is highly likely that it was aimed at Korean users.
A security expert who requested anonymity said, “It appears to be a permission request of a general Android app.
“However, there is a risk that (various personal) information will be passed on to developers developed in North Korea,” he added.
Source: DailyNK by www.dailynk.com.
*The article has been translated based on the content of DailyNK by www.dailynk.com. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!