North Korean hackers built a fake Korean game platform to spread Android spyware targeting ethnic Koreans living in China

ScarCruft (also called APT37 or Reaper) built a fake online gaming platform in Korean to spread BirdCall, a previously undocumented Android malware aimed at ethnic Koreans living in China. The Record reports the platform impersonated legitimate Korean-language game communities. BirdCall harvests device information, contacts, SMS, call logs, photos, and microphone audio - capabilities consistent with surveillance of diaspora communities rather than financial gain. ScarCruft has historically targeted North Korean defectors and journalists with similar Android malware lures.

Check

If your organization works with Korean-language communities or journalists covering North Korea, check Android devices for unfamiliar Korean game apps installed since early 2026. Review app permissions for SMS, contacts, and microphone access.

Affected

Android users in ethnic Korean communities in China, North Korean defectors, journalists covering North Korea, human-rights organizations, and South Korean policy researchers. Diaspora communities are the primary target. Organizations supporting diaspora communities or refugee networks face downstream risk through their constituents.

Fix

On managed Android devices: enforce Google Play Protect, block sideloading of APKs from unknown sources, and require MDM approval for any Korean-language gaming app. For at-risk individuals: reset Android devices that may have installed the fake platform, and use only verified Google Play apps. Follow Citizen Lab guidance for journalists working on North Korea topics.