FastViewer Android Malware Linked with North Korean Threat Actor
A team working with mobile security firm Talon Cyber Security identified a new trio of malicious packages targeting Android devices. All three malware packages are linked to a threat actor operating out of North Korea and known by the handle "Kimsuky group".
The three new malware variants are named FastFire, FastSpy and FastViewer. All three were found targeting devices that can run Android.
While FastFire is distributed in the guise of a Google security update for your device, FastViewer is posing as the Hancom Office Viewer application. The Hancom viewer is a legitimate application that has millions of downloads on the official Google Play Store. The malicious version that is really FastViewer has malicious code injected into the package.
On the surface, the malicious FastViewer behaves like a normal file viewer, but its malicious functionality kicks in when it opens a specially doctored file, created by the malware's authors. The malicious application does a byte check on the initial four bytes of the file being opened and if it meets the determined conditions, the malware contacts its command and control servers.
Once this happens, FastViewer also downloads the FastSpy malware on the infected device.