Domenica 05 Luglio 2026 08:58:31 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContatti
ItalianoEnglishArabic

Cyber Intelligence & Threat Trends

Phantom Packages: North Korean Hackers Use QR Code Phishing to Hijack Android Devices

Published: 18 December 2025 10:40Category: Cyber Intelligence & Threat TrendsGeo: AsiaAuthor: HEXSENTINEL

Subtitle: Kimsuky unleashes a new wave of Android malware, exploiting delivery anxieties and QR codes to bypass security and seize control of smartphones.

It starts with a simple text: “Your package is ready for delivery. Track it here.” For thousands in South Korea, this message-seemingly from a trusted courier-marks the beginning of a digital heist orchestrated by one of North Korea’s most prolific cyber-espionage units. In a cunning evolution of social engineering, the group known as Kimsuky is now leveraging QR codes and fake delivery apps to slip a potent new Android malware, “DocSwap,” into the hands of unsuspecting users.

The malicious campaign, uncovered by South Korean cybersecurity firm ENKI, reveals a sophisticated blend of technical trickery and psychological manipulation. Victims are lured through smishing (SMS phishing) or phishing emails, where links lead to phishing sites impersonating logistics giant CJ Logistics. If accessed from a computer, the site displays a QR code, urging users to scan it with their phone-an increasingly common delivery-tracking step. But this code links directly to a fake app download.

Once installed, the app-disguised as a legitimate delivery tracker-requests extensive permissions: access to storage, the internet, and the ability to install other packages. It then decrypts and launches an embedded, encrypted APK, activating a Remote Access Trojan (RAT) under the guise of a security module. The process is cloaked in legitimacy, with fabricated delivery numbers and OTP screens designed to lull users into compliance.

Behind the scenes, the malware establishes a covert connection to a North Korean-controlled server, awaiting up to 57 different commands. These include logging keystrokes, activating the microphone or camera, harvesting SMS, contacts, call logs, and even manipulating files or downloading further payloads. Notably, Kimsuky also repackaged legitimate apps-such as a VPN from India’s Bycom Solutions-injecting their malicious code to expand their pool of victims.

This campaign is not an isolated incident. ENKI’s investigation linked the infrastructure to previous Kimsuky operations targeting South Korean platforms like Naver and Kakao in credential-harvesting schemes. The group’s evolving tactics-using QR codes, encrypted payloads, and decoy behaviors-underscore a relentless drive to bypass Android’s security warnings and exploit human trust in familiar brands and digital routines.

The rise of QR code phishing, especially when combined with delivery-themed deception, signals a dangerous new phase in mobile cybercrime. As attackers like Kimsuky refine their methods, vigilance and skepticism remain the best defenses. For now, that next package notification might deliver more than you bargained for.

WIKICROOK

  • QR Phishing: QR phishing uses deceptive QR codes to lure users into malicious websites or downloads, aiming to steal data or infect devices with malware.
  • APK (Android Package): An APK is the file format for installing apps on Android devices. Using APKs from unofficial sources can pose security risks.
  • Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
  • Smishing: Lo smishing è una truffa digitale che sfrutta SMS ingannevoli per rubare dati personali o soldi alle vittime, spesso fingendosi enti affidabili.
  • WebView: WebView is an embedded browser within an app, letting users view web content without leaving the application or opening a separate browser.