According to a recent security report, the North Korean hacker group APT37 is distributing an Android malware strain called “BirdCall” in a supply-chain attack through a compromised video game platform. BirdCall is a known backdoor for Windows systems, but APT37, also known as ScarCruft and Ricochet Chollima, has developed an Android variant that also functions as spyware.
Researchers at cybersecurity company ESET say the threat group created BirdCall for Android around October 2024 and has since developed at least seven versions. BirdCall has been associated with ScarCruft since at least 2021. The Windows version of it can apparently record keystrokes, take screenshots, steal from the clipboard, exfiltrate files, and execute commands. They’ve now found that attackers delivered malware via sqgame.net, a Chinese site that hosts games for Android, iOS, and Windows. However, they also note that ScarCruft targets only Android and Windows devices.[1]
BirdCall harvests a wide range of sensitive user data. The attackers are reportedly using trojanized versions of game-related apps to trick users into installing the malicious software. While they appear legitimate, they secretly deploy the BirdCall malware once installed. The Android variant of BirdCall, delivered via malicious APKs on sqgame[.]net, can reportedly harvest a wide range of user data that can be sensitive. That includes extracting IP geolocation information, call logs, SMS, contact lists, and device details.
It also has capabilities like collecting kernel, root status, IMEI number, MAC address, IP address, and network info. It can perform actions like recording audio via microphones between 7 PM and 10 PM, periodically taking screenshots, playing a silent MP3 in a loop to prevent the suspension of its process, and more. The malware can reportedly send system data like battery temperature, storage, RAM usage, and cloud configuration to a command-and-control server.
Despite the long list of capabilities, the Android version of BirdCall does not feature all the Windows version’s abilities. These include shell command execution, traffic proxying, targeting data from browsers and messenger apps, file deletion, and process killing.
Windows infection chain - On Windows systems, the attack begins with a trojanized DLL file (mono.dll), which installs RokRAT malware. RokRAT then deploys the Windows version of BirdCall. For what it’s worth, ScarCruft has deployed a broad range of custom malware tools in espionage campaigns. These include THUMBSBD for targeting air-gapped Windows systems. The KoSpy Android malware previously reached Google Play, while attackers used M2RAT malware in targeted attacks. There’s also the Dolphin mobile backdoor.
With everything that’s been going on, it’s always best practice to download apps from official app stores and trusted sources. This can reduce the risk, as sideloaded software remains a primary infection vector in such campaigns.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.androidheadlines.com/2026/05/scarcruft-birdcall-android-spyware-gaming-apps.html
Comments