ScarCruft hackers push BirdCall Android malware via game platform

The North Korean hacker group APT37 has been delivering an Android version of a backdoor called BirdCall in a supply-chain attack through a video game platform.

While BirdCall is a known backdoor for Windows systems, APT37, also known as ScarCruft and Ricochet Chollima, has developed a variant for Android that doubles as spyware.

According to researchers at cybersecurity company ESET, the threat actor created BirdCall for Android around October 2024 and developed at least seven versions.

The attacks that ESET observed delivered the malware through sqgame[.]net, a Chinese site hosting games for Android, iOS, and Windows. However, the researchers found that only Android and Windows are targeted by the ScarCruft attacks.

The particular platform caters to Koreans in the autonomous Yanbian region in China, which acts as a crossing point for North Korean defectors and refugees.

BirdCall spyware

BirdCall is a known malware family associated with ScarCruft and documented since 2021. The Windows version can record keystrokes, take screenshots, steal from the clipboard, exfiltrate files, and execute commands.

The campaign identified by ESET introduces a previously undocumented version of BirdCall developed for Android, which was delivered by trojanizing APKs on sqgame[.]net.

The Android variant of BirdCall has the following capabilities:

• Extracts IP geolocation information
• Collects contact list, call log, and SMS
• Collects device OS, kernel, rooted status, IMEI number, MAC address, IP address, and network info
• Sends to C2 info about battery temperature, RAM, and storage, cloud configuration, backdoor version, and file extensions of interest (.jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12)
• Periodically takes screenshots
• Records audio via the microphone from 7 pm to 10 pm local time
• Plays a silent MP3 in a loop to prevent the suspension of its process
• Exfiltrates files from a specified directory

ESET’s analysis shows that the Android version of BirdCall does not feature all the commands present in the Windows version yet.

Missing capabilities on Android include shell command execution, traffic proxying, targeting data from browsers and messenger apps, file deletion and dropping, and process killing.

On Windows systems, the infection chain begins with the installation of a trojanized DLL (mono.dll) that downloads and executes RokRAT, which then deploys the Windows version of BirdCall.

ScurCraft is notorious for using a broad range of custom malware, including THUMBSBD, which targets air-gapped Windows systems, the KoSpy Android malware that previously infiltrated Google Play, the M2RAT malware used in targeted espionage attacks, and the Dolphin mobile backdoor.

To minimize the risk of malware infections, users are advised to only download software from official marketplaces and trusted publisher sites.