North Korea-Backed Lazarus Group Takes Aim at Android Security

McAfee discovers new mobile malware that is linked to the same group that was behind the attack on Sony Pictures and the recent WannaCry ransomware worm.

North Korea Hacker Groups

McAfee released new research on Nov. 20 indicating that the Lazarus Group hacking gang has now moved into the mobile realm. The Lazarus Group has been implicated in multiple large-scale attacks in recent years, including the 2014 attack against Sony Pictures and this year’s WannaCry ransomware attack.

The Lazarus Group is thought to be a nation-state threat adversary operating out of North Korea with government support. The group has been known to use many forms of desktop and server malware in its campaigns, though mobile had not been part of its known arsenal—until now.

"This is the first instance of this actor group using the mobile platform we are aware of," Raj Samani, chief scientist at McAfee, told eWEEK.

The Lazarus Group made a fake copy of a legitimate app for reading the Bible in Korean that was available from Google Play. The fake Bible reading app took specific aim at users in South Korea. While there have been only approximately 1,300 installations of the real app, Samani noted that the number of malicious installs is currently unknown, as is the number of potential victims.

"McAfee is continuously hunting for new threats targeting a diversity of platforms including mobile," Samani said. "One of our systems alerted us of suspicious code parts of this malware, and we started the investigation."


McAfee's analysis points to the Lazarus Group for the new mobile malware due to some indicators that the North Korean hackers have used in the past. One of them was the use of a particular backdoor file delivered as an ELF (executable and linkable format) file.

"This was one of indicators that led us to believe this was Lazarus, since the ELF in this attack is similar to several executables we have seen from this group before," Samani said. "It is a common technique by the group to hide a Command and Control protocol in an ELF file."

The mobile malware attack does not abuse any specific known vulnerabilities in Android either. Samani explained that the Lazarus Group mobile app uses a fake digital certificate.

"The certificate used to sign this malware has been seen before signing other mobile malware samples," he said.

North Korean-based hacking groups including the Lazarus Group have been very active of late, with the Department of Homeland Security recently issuing a warning about its activities. At the SecTor security conference in Toronto, researcher Ashley Shen detailed some of the techniques used to date by the Lazarus Group against non-mobile targets. 

At this point it's not clear how active the Lazarus Group will be in going after mobile targets. Samani noted that there is no indication that mobile will be the platform of choice in the future, since the new attack is the first that McAfee has observed.   

"Predictions are of course fraught with challenges, but it is not inconceivable that further attacks on the mobile platform will be something we will have to contend with," he said. 

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.