North Korean APT37 Targets Ethnic Koreans in China Using Android ‘BirdCall’ Malware Hidden in Mobile Games
A sophisticated cyber espionage campaign linked to the North Korean state-sponsored threat group APT37 has been uncovered targeting ethnic Koreans living in China’s Yanbian region using Android malware named BirdCall. According to cybersecurity researchers at ESET, the malware was distributed through compromised Android card games hosted on the popular gaming website Sqgame.
The campaign highlights North Korea’s expanding cyber surveillance operations aimed at monitoring defectors, refugees, activists, and ethnic Korean communities abroad. By embedding spyware capabilities into seemingly harmless mobile games, the attackers created an effective and stealthy infection mechanism capable of extensive data theft and device surveillance.
BirdCall Malware Hidden Inside Android Card Games
ESET researchers identified at least seven Android applications carrying variants of the BirdCall malware. The malicious apps masqueraded as legitimate Korean-language card and gambling games frequently downloaded by ethnic Koreans in China.
The infected applications were distributed through a compromised software update package available on Sqgame’s website. Users who downloaded or updated these apps unknowingly installed a sophisticated Android backdoor capable of silently monitoring device activity.
The malware’s infection chain demonstrates a growing trend where threat actors exploit trusted software ecosystems and regional platforms rather than relying solely on phishing emails or malicious advertisements.
Capabilities of the BirdCall Android Backdoor
Once installed, BirdCall granted attackers extensive surveillance and espionage capabilities on infected Android devices. Researchers found the malware capable of:
- Capturing screenshots of user activity
- Recording phone calls and audio
- Stealing contact lists and SMS messages
- Extracting files and stored documents
- Collecting device information and identifiers
- Monitoring installed applications
- Uploading stolen data to remote command-and-control servers
- Executing remote attacker commands
The spyware operated stealthily in the background while disguising itself as a legitimate gaming application, significantly reducing the likelihood of detection by victims.
APT37 and North Korean Cyber Espionage Operations
APT37, also known as ScarCruft or Reaper, is a North Korean advanced persistent threat group believed to operate under the country’s intelligence apparatus. The group has historically targeted:
- North Korean defectors
- Human rights activists
- Journalists
- Government agencies
- Think tanks and research organizations
- South Korean and East Asian entities
Security researchers have linked APT37 to multiple cyber espionage campaigns dating back to at least 2012. The group is known for leveraging spear-phishing, mobile malware, watering-hole attacks, and social engineering techniques to compromise targets.
This latest BirdCall campaign indicates that North Korean cyber operations are increasingly focused on mobile surveillance due to smartphones containing vast amounts of personal and sensitive information.
Why the Yanbian Region Was Targeted
The Yanbian Korean Autonomous Prefecture in northeastern China contains one of the largest populations of ethnic Koreans outside the Korean Peninsula. Experts believe the campaign specifically targeted individuals with possible connections to:
- North Korean refugee networks
- Defector support groups
- Cross-border communication channels
- Religious and humanitarian organizations
- South Korean contacts
Because many residents in the region communicate in Korean and consume Korean-language applications, the attackers tailored the malware distribution strategy accordingly, significantly increasing the campaign’s effectiveness.
Supply Chain Compromise Raises Security Concerns
One of the most alarming aspects of the campaign is the compromise of the Sqgame update mechanism. Rather than distributing malware independently, the attackers inserted malicious code into software updates delivered through an already trusted platform.
This tactic mirrors broader trends in global cyberattacks where software supply chains are increasingly targeted because they allow threat actors to compromise many users simultaneously while bypassing traditional security warnings.
Recent industry statistics show:
- Software supply chain attacks increased by over 300% globally in recent years
- Mobile malware attacks continue to rise as Android remains the most targeted mobile operating system
- State-sponsored cyber groups increasingly prioritize mobile espionage due to widespread smartphone adoption
Indicators of Compromise and Security Recommendations
Cybersecurity experts recommend Android users take the following precautions:
- Download applications only from trusted app stores
- Avoid installing APK files from third-party websites
- Regularly update Android security patches
- Use reputable mobile security solutions
- Review application permissions carefully
- Monitor unusual device behavior such as excessive battery drain or microphone activity
Organizations supporting refugees, journalists, and activists are also advised to strengthen mobile security awareness and conduct regular device threat assessments.
Growing Role of Mobile Devices in Cyber Espionage
The BirdCall campaign demonstrates how smartphones have become primary targets in modern cyber espionage operations. Unlike traditional desktop infections, mobile malware provides attackers access to:
- Real-time communications
- Location tracking
- Voice recordings
- Personal photos and documents
- Encrypted messaging applications
As geopolitical tensions continue to drive state-sponsored cyber activity, mobile-focused espionage campaigns are expected to increase in both sophistication and scale.
NeuraCyb's Assessment
The discovery of the BirdCall Android malware campaign underscores the persistent and evolving threat posed by North Korean cyber espionage groups. By targeting ethnic Koreans in China through compromised mobile gaming applications, APT37 demonstrated a highly tailored and stealthy surveillance operation focused on intelligence gathering.
The incident also serves as a warning about the growing risks associated with third-party app ecosystems and software supply chain compromises. As threat actors continue adapting their tactics, organizations and individuals alike must prioritize mobile security as a critical component of cybersecurity defense strategies.
NeuraCyb assesses this campaign as a highly targeted cyber espionage operation leveraging social trust, regional targeting, and mobile supply chain compromise techniques to maximize infection success rates. The use of Korean-language gaming applications specifically tailored toward ethnic Korean communities in China demonstrates advanced reconnaissance and victim profiling by APT37.
The BirdCall malware reflects a broader strategic shift among nation-state threat actors toward persistent mobile surveillance operations capable of collecting real-time intelligence from high-value individuals. The compromise of software update infrastructure further indicates that attackers are prioritizing stealth and scalability over traditional phishing-based infection methods.
Organizations operating in politically sensitive regions or supporting vulnerable populations should consider mobile threat defense, application integrity verification, and supply chain security auditing as essential components of their cybersecurity posture.
Reference Links and Sources
