APT37 pushed BirdCall via games

Android spyware usually shows up through fake banking apps, fake updates, or straight phishing. This case is nastier. ScarCruft — the North Korea-linked group also called APT37 — appears to have turned a niche game platform into a delivery system for surveillance malware. The new piece is an Android version of BirdCall, a backdoor ESET says had previously been known on Windows, and it was hidden inside game downloads from a site aimed at ethnic Koreans in China’s Yanbian region. (eset.com) ### What actually got hacked? The compromised site was sqgame[.]net, a gaming platform built around Yanbian-themed games. That matters because Yanbian sits on China’s border with North Korea and is home to a large ethnic Korean population. ESET says ScarCruft tampered with both Windows and Android components of the platform, turning normal-looking downloads into spyware delivery vehicles. (eset.com) ### Why use games at all? Because games lower suspicion. People expect a game to ask for storage access, maybe microphone access, maybe broad permissions they do not read closely. But the bigger advantage is distribution — users went to a site they already trusted and installed the apps intentionally. ESET says it did not find these malicious APKs on Google Play, which means this was a targeted side-load and supply-chain play, not a mass-market app-store scam. (eset.com) ### What is BirdCall on Android? Basically, it is a mobile espionage implant. The Android variant can collect contacts, SMS messages, call logs, documents, media files, and even private keys. It can also capture screenshots and record surrounding audio. That is a serious set of permissions because it gives the operator both content and context — who you know, what you say, where you are, and what is happening around you. (eset.com) ### Was this a one-off sample? No — and that is one of the more important details. ESET says Android BirdCall was actively developed across several months, with at least seven versions deployed. Reporting on the campaign says those versions appeared between October 2024 and June 2025, which makes this look less like an experiment and more like a maintained surveillance toolchain. (eset.com) ### Who was the likely target? Not random mobile gamers. The targeting appears regional and political. ScarCruft singled out a platform used by ethnic Koreans in Yanbian, and ESET says the likely goal was collecting information on people of interest to the North Korean regime — especially refugees or defectors, or people connected to them. That fits the group’s long-running pattern of espionage rather than smash-and-grab cybercrime. (eset.com) ### Why is the supply-chain angle the real story? Because the trick is trust hijacking. Instead of persuading each victim with a custom lure, the attackers poisoned software that users already meant to download. It is the difference between picking a lock and getting handed the key. Once a trusted platform is compromised, every install becomes a possible foothold. (eset.com) ### What should defenders take from this? Treat side-loaded entertainment apps as a real intrusion path, especially in targeted environments. Mobile threat hunting usually centers on messaging apps, browsers, and MDM gaps, but this campaign shows that culturally specific game platforms can be just as useful for espionage. The practical response is tighter app allowlisting, monitoring for unusual permission combinations, and much more skepticism around non-store APK installs. (eset.com) ### Bottom line The big shift here is not just that BirdCall reached Android. It is that ScarCruft used a game platform to do it — quietly, selectively, and in a way that blends into normal user behavior. That makes this less like ordinary malware spam and more like targeted surveillance hidden inside leisure software. (eset.com)