In December 2025, it was revealed that the North Korean cyber espionage group KIMSUKY was using a new attack method to specifically target and install malware on Android devices. Using deceptively realistic QR codes, phishing websites, and manipulated apps, the attackers were infiltrating a highly sophisticated Remote Access Trojan Horse (RAT) into the mobile devices of targeted individuals – primarily in South Korea, but with globally applicable tactics and strategies. The goal: data theft, industrial espionage, and surveillance.
This attack targets businesses. What makes it particularly insidious is that its technical complexity is well disguised, and the attack surface lies in everyday life – seemingly harmless delivery app links, fake VPNs, download prompts via QR codes. Companies that support BYOD (Bring Your Own Device) models or hybrid work environments are especially vulnerable.
CEOs and security officers now have to ask themselves: How can they ensure that the mobile devices of management, project managers, or employees in sensitive roles don't become espionage tools for foreign states? What risks to trade secrets, intellectual property, and the supply chain arise from mobile attack vectors? And how can the mobile attack surface be secured with manageable effort?
The KIMSUKY group has specialized in cyberattacks on behalf of the North Korean regime for years. Their focus is on acquiring politically, scientifically, and economically relevant information abroad. In their latest campaign, they are exploiting social habits—such as scanning QR codes—to launch attacks on Android devices.
Users are being deceived by insidious, realistic phishing websites that imitate South Korean delivery services like "CJ Logistics." The website prompts visitors to verify their identity under the guise of security measures – including downloading a supposed security app via a QR code. However, this conceals the attacker's actual access point: a malware-infected app ("SecDelivery.apk") that silently installs and activates a full-fledged spyware program ("DocSwap").
This app requests permissions to access data, files, messages, GPS, and the microphone. Once the user has installed it and granted these permissions, the malware takes over key functions of the device. Even worse, the app disguises itself as a legitimate authentication service, generates fake OTP codes, downloads malware in the background, and conceals its activities from the user by opening legitimate websites. Its technical mechanisms enable a total of 57 different commands, including keystroke logging, camera and microphone access, and the execution of external commands.
For a company, this means: Every employee who installs a manipulated app on their (supposedly) private smartphone can potentially become a mobile attack bridge – with a direct connection to the company network, the mail infrastructure, project and customer data.
Many companies have learned in recent years how to better protect their core IT systems. Endpoint detection, VPN security, and EDR (Endpoint Detection & Response) solutions now provide basic protection in many data centers and on permanently installed devices. However, the reality of the networked economy is different: employees work in hybrid models, travel frequently, and use mobile devices for precisely those IT interfaces that are particularly confidential – project coordination with partners, mobile video calls, access to SaaS platforms, sending confidential documents via email, or using collaboration tools.
This barrier is breached at the latest when a manipulated app sneaks onto a smartphone. The malware "DocSwap" focuses on continuous, almost invisible access to device data – it can intercept conversation content in real time, create movement profiles, transmit captured screenshots or on-screen keyboard inputs, and even download further malware components.
This access is sufficient to gain access to strategic company data via employee smartphones – especially when business apps (e.g., access to SAP systems, logistics tools, or customer databases) communicate with mobile devices. The days when attacks relied solely on classic email phishing are over.
Even more problematic is the fact that KIMSUKY is not limited to self-developed malware. In this particular case, they use legitimate tools and modify them – for example, in the form of a fake version of the Android app "BYCOM VPN." Using this method, even technically savvy employees find it difficult to determine whether a program is legitimate or not. This danger is exacerbated by the trend of downloading applications from mobile app stores that then operate with subliminal privileges and systematically bypass security barriers.
For CIOs and CISOs, this new attack methodology represents a significant shift in the risk assessment of mobile devices. Many companies systematically downplay the risks associated with mobile devices, operating under the assumption that "it's just the employee's personal phone/MacBook." But this is precisely where a dangerous blind spot arises.
Denn:
In plain terms: Anyone who allows BYOD or mobile use of business apps today without integrating the mobile context into their IT security strategy is jeopardizing the confidentiality, integrity and availability of their own (and often also customer-side) critical data.
Moreover, it's usually not the "typical targets" who are compromised first. KIMSUKY is known for specifically targeting executives, diplomats, scientists, and decision-makers – precisely those individuals who handle particularly sensitive data and conversations.
Effective protection against mobile-based espionage attacks requires more than just technical adjustments. For company management – whether CEO, CIO, or CISO – this means a strategic realignment of risk assessment.
Mobile security must become part of the security architecture.
The distinction between a "private" mobile device and a "business-used" device is no longer tenable in practice. Every device that has access to emails, documents, cloud services, or appointments is a security risk. Therefore, companies must:
Companies must therefore:
As a specialized partner for IT security, industrial espionage defense, and technical prevention measures, ProSec has in-depth knowledge of the methods used by state-sponsored attackers like KIMSUKY. Our approach: Don't just react – detect, prevent, and investigate early.
Whether it's securing your C-level devices, mobile access control to sensitive information, or intelligent analysis of suspicious app communication – we advise you in a technology-neutral, solution-oriented manner and up-to-date with current espionage and cybercrime situations.
A "Remote Access Trojan" is malware that allows attackers complete remote access to a compromised system via the internet. The current case, "DocSwap," is a mobile RAT that specifically targets Android devices.
APT refers to a long-term, strategically planned cyber threat originating from state-sponsored or highly professional groups. Its primary goals are espionage, covert access, and data theft.
QR codes conceal the actual URL or functionality when scanned. Users rely on the visual representation and often automatically go through security checks. Attacks via QR codes bypass traditional phishing filters and are particularly effective on mobile devices.
Often not at all – and that's precisely the problem. Trojanized apps appear legitimate on the outside, but contain manipulated code inside. Only analytical methods like sandbox tests, signature comparisons, and API behavior analysis reveal the truth.
"Bring Your Own Device" allows employees to use their personal devices for work purposes. This saves costs, but massively increases the attack surface – as control, protection, and responsibilities are often unclear.
