North Korea-Backed Lazarus Group Takes Aim at Mobile Device Security | eWeek

North Korea-Backed Lazarus Group Takes Aim at Android Security

North Korea Hacker Groups
Nov 20, 2017
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

McAfee released new research on Nov. 20 indicating that the Lazarus Group hacking gang has now moved into the mobile realm. The Lazarus Group has been implicated in multiple large-scale attacks in recent years, including the 2014 attack against Sony Pictures and this year’s WannaCry ransomware attack.

The Lazarus Group is thought to be a nation-state threat adversary operating out of North Korea with government support. The group has been known to use many forms of desktop and server malware in its campaigns, though mobile had not been part of its known arsenal—until now.

“This is the first instance of this actor group using the mobile platform we are aware of,” Raj Samani, chief scientist at McAfee, told eWEEK.


The Lazarus Group made a fake copy of a legitimate app for reading the Bible in Korean that was available from Google Play. The fake Bible reading app took specific aim at users in South Korea. While there have been only approximately 1,300 installations of the real app, Samani noted that the number of malicious installs is currently unknown, as is the number of potential victims.

“McAfee is continuously hunting for new threats targeting a diversity of platforms including mobile,” Samani said. “One of our systems alerted us of suspicious code parts of this malware, and we started the investigation.”


Attribution

McAfee’s analysis points to the Lazarus Group for the new mobile malware due to some indicators that the North Korean hackers have used in the past. One of them was the use of a particular backdoor file delivered as an ELF (executable and linkable format) file.

“This was one of indicators that led us to believe this was Lazarus, since the ELF in this attack is similar to several executables we have seen from this group before,” Samani said. “It is a common technique by the group to hide a Command and Control protocol in an ELF file.”

The mobile malware attack does not abuse any specific known vulnerabilities in Android either. Samani explained that the Lazarus Group mobile app uses a fake digital certificate.

“The certificate used to sign this malware has been seen before signing other mobile malware samples,” he said.

North Korean-based hacking groups including the Lazarus Group have been very active of late, with the Department of Homeland Security recently issuing a warning about its activities. At the SecTor security conference in Toronto, researcher Ashley Shen detailed some of the techniques used to date by the Lazarus Group against non-mobile targets. 

At this point it’s not clear how active the Lazarus Group will be in going after mobile targets. Samani noted that there is no indication that mobile will be the platform of choice in the future, since the new attack is the first that McAfee has observed.   

“Predictions are of course fraught with challenges, but it is not inconceivable that further attacks on the mobile platform will be something we will have to contend with,” he said. 

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.