android-malware - TrustStrike Labs

threat

2026-05-06

North Korean hackers built a fake Korean game platform to spread Android spyware targeting ethnic Koreans living in China

ScarCruft (also called APT37 or Reaper) built a fake online gaming platform in Korean to spread BirdCall, a previously undocumented Android malware aimed at ethnic Koreans living in China. The Record reports the platform impersonated legitimate Korean-language game communities. BirdCall harvests device information, contacts, SMS, call logs, photos, and microphone audio - capabilities consistent with surveillance of diaspora communities rather than financial gain. ScarCruft has historically targeted North Korean defectors and journalists with similar Android malware lures.

scarcruft apt37 reaper dprk birdcall android-malware ethnic-koreans china transnational-repression diaspora-targeting fake-gaming-platform citizen-lab

Check: If your organization works with Korean-language communities or journalists covering North Korea, check Android devices for unfamiliar Korean game apps installed since early 2026. Review app permissions for SMS, contacts, and microphone access.
Affected: Android users in ethnic Korean communities in China, North Korean defectors, journalists covering North Korea, human-rights organizations, and South Korean policy researchers. Diaspora communities are the primary target. Organizations supporting diaspora communities or refugee networks face downstream risk through their constituents.
Fix: On managed Android devices: enforce Google Play Protect, block sideloading of APKs from unknown sources, and require MDM approval for any Korean-language gaming app. For at-risk individuals: reset Android devices that may have installed the fake platform, and use only verified Google Play apps. Follow Citizen Lab guidance for journalists working on North Korea topics.

threat

2026-05-03

Scammers used Telegram's built-in mini-apps to impersonate Apple, NVIDIA, and Disney for crypto fraud and Android malware - all running on the same backend

CTM360 disclosed a large-scale fraud platform called FEMITBOT that uses Telegram's Mini App feature to host crypto scams, impersonate major brands, and distribute Android malware. The platform impersonates Apple, Coca-Cola, Disney, eBay, IBM, NVIDIA, BBC, and others - all backed by the same shared infrastructure identified by a common API response. The mini-apps display fake balances, countdown timers, and limited-time offers inside Telegram's WebView. Some campaigns push fake Android APKs hosted on the same domain as the API to ensure valid TLS certificates. Meta and TikTok tracking pixels measure conversion rates.

femitbot telegram mini-apps ctm360 crypto-scams android-malware apk-sideload brand-impersonation webview tracking-pixels

Check: Brief staff that any Telegram bot promoting cryptocurrency investments, asking them to deposit funds, or prompting them to install an APK is fraud - regardless of which brand the bot claims to represent.
Affected: Telegram users worldwide who interact with bots claiming to represent major brands. Acute risk for cryptocurrency-curious users targeted by 'investment opportunity' lures, and for Android users sideloading APKs from Telegram-shared links. Organizations whose brand is being impersonated face customer-trust damage even though the breach is in user behavior, not company systems.
Fix: Block sideloading of APKs on managed Android devices and require Google Play Protect to remain enabled. For brand protection teams: monitor Telegram for bots using your company name and report via Telegram's official channels - though the platform's Mini App vetting is essentially nonexistent so reactive moderation is the only path. Treat any 'official' Telegram bot as unverified by default.