ScarCruft hackers push BirdCall Android malware via game platform
Source: Bleeping Computer
APT37 delivers BirdCall Android via a gaming platform supply‑chain attack
The North Korean hacker group APT37 has been delivering an Android version of a backdoor called BirdCall in a supply‑chain attack through a video‑game platform. While BirdCall is a known backdoor for Windows systems, APT37 (also known as ScarCruft and Ricochet Chollima) has developed a variant for Android that doubles as spyware.
According to researchers at cybersecurity company ESET, the threat actor created BirdCall for Android around October 2024 and has released at least seven versions. The attacks delivered the malware through sqgame[.]net, a Chinese site hosting games for Android, iOS, and Windows. Only Android and Windows are targeted by the ScarCruft attacks. The platform primarily serves Koreans in the autonomous Yanbian region of China, a crossing point for North Korean defectors and refugees.
BirdCall spyware
BirdCall is a malware family associated with ScarCruft and documented since 2021. The Windows version can record keystrokes, take screenshots, steal clipboard data, exfiltrate files, and execute commands.
The campaign identified by ESET introduces a previously undocumented Android version of BirdCall, delivered by trojanizing APKs on sqgame[.]net.
Capabilities
- Extracts IP geolocation information
- Collects contact list, call log, and SMS
- Gathers device OS, kernel, root status, IMEI, MAC address, IP address, and network info
- Sends to C2 battery temperature, RAM, storage, cloud configuration, backdoor version, and file extensions of interest (
.jpg,.doc,.docx,.xls,.xlsx,.ppt,.pptx,.txt,.hwp,.pdf,.m4a,.p12) - Periodically takes screenshots
- Records audio via the microphone from 7 pm to 10 pm local time
- Plays a silent MP3 in a loop to prevent suspension of its process
- Exfiltrates files from a specified directory
ESET’s analysis shows that the Android version does not yet include all commands present in the Windows version. Missing capabilities on Android include shell command execution, traffic proxying, targeting data from browsers and messenger apps, file deletion and dropping, and process killing.
Infection chain (Windows)
On Windows systems, the infection chain begins with the installation of a trojanized DLL (mono.dll) that downloads and executes RokRAT, which then deploys the Windows version of BirdCall.
Other ScarCruft malware
ScarCruft is notorious for using a broad range of custom malware, including:
- THUMBSBD – targets air‑gapped Windows systems
- KoSpy – Android spyware that previously infiltrated Google Play
- M2RAT – used in targeted espionage attacks
- Dolphin – mobile backdoor
Mitigation
To minimize the risk of malware infections, users should only download software from official marketplaces and trusted publisher sites.