# North Korean APT37 Deploys BirdCall Malware Through Gaming Platform Supply Chain Attack


Cybersecurity researchers have uncovered a sophisticated supply-chain attack orchestrated by APT37 (also known as ScarCruft), a North Korean-linked threat actor, distributing an Android-based variant of the BirdCall backdoor through a compromised video game distribution platform. The campaign represents a notable shift in APT37's tactics, leveraging the massive user base of mobile gaming to inject malware into thousands of unsuspecting devices.


## The Threat


The attack chain centers on BirdCall, a sophisticated Android backdoor that grants attackers extensive remote access and espionage capabilities on compromised devices. Rather than relying on traditional distribution methods, APT37 compromised or impersonated a video game platform, embedding the malicious payload within what appeared to be legitimate gaming applications.


Key attack indicators:

  • Malware delivered through trusted app distribution channels
  • Silent installation with minimal user-facing indicators
  • Full device compromise capability
  • Potential for lateral movement into enterprise networks via personal devices

    • This campaign underscores a critical vulnerability in the mobile supply chain: the implicit trust users place in established app platforms, making them attractive targets for sophisticated threat actors seeking mass compromise opportunities.


    ## Background and Context


    ### Who Is APT37?


    APT37, also designated as ScarCruft or Richna, is a long-standing North Korean advanced persistent threat group with documented operations spanning over a decade. The group has been consistently linked to South Korean targets, defectors, and international organizations through attribution conducted by multiple cybersecurity vendors including Kaspersky, SentinelOne, and Google Threat Analysis Group (TAG).


    APT37's historical campaigns include:

  • Operation GhostSecret (2017-2019): Targeted South Korean media, defense contractors, and financial institutions
  • Mobile banking trojans (2016-2020): Distributed through Google Play Store and third-party app markets
  • Watering hole attacks: Compromise of legitimate Korean websites to deliver malware
  • Spear-phishing campaigns: Highly targeted operations against government and military personnel

    • The group's operational focus typically aligns with North Korea's strategic interests: intelligence gathering on South Korea, sanctions evasion research, cryptocurrency theft, and disruption of critical infrastructure.


    ### Understanding BirdCall


    BirdCall is a modular backdoor that provides threat actors with persistent command-and-control (C2) access and extensive device manipulation capabilities. While variants have existed in desktop environments, this Android implementation represents a direct mobile adaptation with functionality tailored to smartphone architectures.


    Core capabilities include:

  • Remote command execution on the compromised device
  • Data exfiltration (contacts, call logs, messaging, location)
  • Surveillance functionality (camera, microphone access for audio/video recording)
  • Credential harvesting (capture of banking credentials, authentication tokens)
  • Lateral movement support (use of compromised devices as network pivot points)

    • ## Technical Details


    ### Distribution Mechanism


    The attack leveraged a supply-chain compromise at the distribution layer—either through direct compromise of a gaming platform's infrastructure or through impersonation of a legitimate platform through typosquatting or social engineering. Users downloading what appeared to be popular games unknowingly installed the BirdCall backdoor alongside legitimate game functionality.


    Distribution timeline and scope:

  • Multiple popular game titles used as delivery vectors
  • Estimated thousands of installations across Android devices
  • Geographic concentration in regions of strategic interest to North Korean intelligence (South Korea, Japan, Southeast Asia)
  • Low detection rate due to legitimate app wrapping and minimal on-device behavioral indicators

    • ### Installation and Persistence


    Once installed, BirdCall establishes persistence through multiple mechanisms:


    1. Scheduled task execution: Leverages Android job scheduling APIs to maintain regular callback intervals

    2. Service persistence: Registers as a background service to survive application closes and device reboots

    3. Obfuscation techniques: Code strings and network communications encrypted to evade static analysis

    4. Permission escalation: Attempts exploitation of known Android kernel vulnerabilities to achieve system-level access


    The malware communicates with command-and-control servers using encrypted HTTPS channels, making network-based detection substantially more challenging than typical malware families.


    ## Implications


    ### Impact on Users and Organizations


    The successful deployment of BirdCall through gaming platforms carries severe implications across multiple threat vectors:


    | Impact Area | Risk Level | Description |

    |---|---|---|

    | Personal Data Theft | Critical | Contacts, messages, photos, location data exposure |

    | Financial Compromise | Critical | Banking credentials, payment apps, cryptocurrency wallets |

    | Enterprise Network Access | High | Corporate VPN clients, email, sensitive business data |

    | Device Surveillance | High | Covert audio/video recording, keystroke logging |

    | Identity Fraud | High | SIM swaps, account takeovers, credential misuse |


    ### Supply Chain Trust Erosion


    This campaign exemplifies a broader threat trend: the weaponization of user trust in application distribution platforms. As users increasingly rely on app stores for software distribution, compromising these platforms at the source provides threat actors with unprecedented scale and persistence.


    For organizations with BYOD (Bring Your Own Device) policies, compromised personal phones become direct entry points into corporate networks, particularly if devices have access to VPN clients, email, or cloud services.


    ### Attribution and Geopolitical Implications


    The operation reinforces existing intelligence assessments regarding APT37's technical sophistication and operational maturity. The group's willingness to conduct supply-chain attacks at scale suggests:

  • Access to significant development resources
  • Strategic patience for long-term intelligence collection
  • Primary focus on espionage rather than immediate financial gain
  • Coordination with or support from North Korean state interests

    • ## Recommendations


    ### For Individual Users


  • Verify application sources: Download games and apps exclusively from official Google Play Store or Apple App Store, never from third-party marketplaces
  • Review app permissions: Scrutinize requested permissions—gaming apps should never require camera access, contacts, call logs, or precise location
  • Enable Google Play Protect: Activate Google's built-in malware scanning and keep it updated
  • Monitor device behavior: Watch for unexpected battery drain, data usage spikes, or overheating—indicators of background malware activity
  • Apply security patches: Keep Android OS and all applications fully updated to patch known vulnerabilities

    • ### For Organizations


  • Mobile device management (MDM): Deploy comprehensive MDM solutions with real-time threat detection on BYOD and corporate devices
  • Network segmentation: Isolate personal devices from critical infrastructure; require VPN re-authentication for sensitive systems
  • Endpoint detection and response (EDR): Deploy advanced threat detection solutions that monitor process behavior, network communications, and system calls
  • Threat intelligence integration: Subscribe to updates on APT37 and related North Korean threat actors to identify indicators of compromise (IoCs)
  • User training: Conduct security awareness campaigns emphasizing app store risks, phishing indicators, and safe browsing practices
  • Incident response planning: Develop procedures for rapid response to compromised mobile devices, including credential rotation and system access audits

    • ### For Platform Providers


  • Code signing verification: Implement robust signing chain verification to prevent unsigned or improperly signed applications
  • Behavioral analysis: Deploy machine learning-based analysis to detect malicious applications mimicking legitimate software
  • Developer identity verification: Strengthen vetting processes to prevent fraudulent developer accounts
  • Automated threat intelligence: Subscribe to and integrate real-time threat feeds to detect known malicious applications

    • ## Conclusion


    The BirdCall supply-chain attack demonstrates that no platform or distribution channel is immune from sophisticated threat actors. APT37's successful deployment through gaming platforms exposes the tension between user convenience and security—a gap that North Korean state-sponsored actors will continue to exploit.


    Organizations and individuals must adopt a zero-trust mindset toward application installation, treating every download as a potential attack vector until verified otherwise. As mobile devices increasingly serve as gateways to corporate networks, sensitive financial systems, and personal data repositories, the stakes of mobile security have never been higher.