{ "id": "dfbe0683-30f2-4cd7-8be7-3d7ff16593fd", "created_at": "2026-04-06T00:15:38.876205Z", "updated_at": "2026-04-10T13:12:50.579132Z", "deleted_at": null, "sha1_hash": "91a1125eee7e0e691ef3ad773a09c8c2163c6b3b", "title": "APT37 Deploys New Android Spyware, Chinotto", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1641938, "plain_text": "APT37 Deploys New Android Spyware, Chinotto\r\nBy cybleinc\r\nPublished: 2021-12-06 · Archived: 2026-04-05 22:21:43 UTC\r\nCyble Research Lab's Deep-Dive analysis on APT37's Chinotto Spyware targeting users across Asia.\r\nAndroid Spyware is a program that has been used by Threat Actors (TAs) to steal personal data from the device\r\nwithout the user’s knowledge. This report will focus on one such malicious application used by the APT (Advanced\r\nPersistent Threat) group APT37.  APT37 is also known by the following names – Reaper, Ricochet Chollima,\r\nScarCruft group. This group performs its malicious activities through an application claiming the Secure Talk\r\napplication.\r\nAPT37 is a North Korean state-sponsored cyberespionage group that has been active since around 2012. This group\r\nis known to target victims from countries in Asia such as South Korea, Japan, Vietnam, Russia, Nepal, China, and\r\nIndia. APT37 has also targeted Romania, Kuwait, and various parts of the Middle East.\r\nCyble Research Labs came across a securelist article where researchers are claiming that a fresh attack was carried\r\nout targeting North Korean defectors and human rights activists. The Threat Actor (TA) APT37 used new spyware\r\ncalled “Chinotto” to carry out these attacks. Cyble Research Labs downloaded one of the samples and performed a\r\ndeep-dive analysis of the Chinotto Android spyware.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nAPT37 has also been linked to malicious campaigns between 2016-2018. In 2016, they targeted North Korean\r\ndefectors, human rights activists, and journalists covering news related to North Korea and government\r\norganizations associated with the Korean Peninsula. They have been linked to high-profile attacks such as\r\nhttps://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/\r\nPage 1 of 10\n\nOperation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean\r\nHuman Rights, and Evil New Year 2018.\r\nThe malware is designed for stealthy espionage, as once this application is successfully executed on user devices. It\r\ncan steal sensitive data like contacts data, SMS data, call logs, device information, and files from the device’s\r\nexternal storage.\r\nTechnical Analysis\r\nAPK Metadata Information\r\nApp Name: SecureTalk\r\nPackage Name: com.private.talk\r\nSHA256 Hash: 8fb42bb9061ccbb30c664e41b1be5787be5901b4df2c0dc1839499309f2d9d93\r\nFigure 1 shows the metadata information of the application.\r\nFigure 1 – App Metadata Information\r\nThe application flow is shown in Figure 2. Upon being launched, the application asks for certain sensitive\r\npermissions, after which it displays the login page. During this time, the APK performs its malicious activities\r\nbehind the scenes.\r\nFigure 2 – App Start Flow\r\nManifest Description\r\nThe application requests thirteen different permissions. Of these thirteen permissions, the attackers could abuse\r\neight to carry out the following activities:\r\nhttps://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/\r\nPage 2 of 10\n\nReading SMSs, Call Logs, and Contacts data.\r\nReading current cellular network information, phone number and the serial number of the victim’s phone, the\r\nstatus of any ongoing calls, and a list of any Phone Accounts registered on the device.\r\nReading or writing files on the device’s external storage.\r\nWe have listed these dangerous permissions below.\r\nPermissions Description\r\nREAD_SMS Access phone’s messages\r\nREAD_CONTACTS Access phone’s contacts\r\nREAD_CALL_LOG Access phone’s call logs\r\nREAD_PHONE_STATE\r\nAllows access to phone state, including the current cellular\r\nnetwork information, the phone number and the serial\r\nnumber of this phone, the status of any ongoing calls, and a\r\nlist of any Phone Accounts registered on the device\r\nWRITE_EXTERNAL_STORAGE\r\nAllows the app to write or delete files to the external\r\nstorage of the device\r\nREAD_EXTERNAL_STORAGE\r\nAllows the app to read the contents of the device’s external\r\nstorage\r\nGET_ACCOUNTS Allows the app to get the list of accounts used by the phone\r\nREAD_PHONE_NUMBERS Allows the app to read the device’s phone number(s).\r\nTable 1: Permissions’ Description\r\nFigure 3 shows the launcher activity of the application.\r\nFigure 3 – App Launcher Activity\r\nSource Code Description\r\nThe code snippets highlighted in Figure 4 show that the application steals the device’s contact data.\r\nhttps://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/\r\nPage 3 of 10\n\nFigure 4 – Code to Read Contact Data\r\nThe code snippets highlighted in Figure 5 show that the application steals the device’s SMS data.\r\nFigure 5 – Code to Read SMS Data\r\nThe code snippets in Figure 6 show that the application steals the device’s call logs data.\r\nFigure 6 – Code to Read Call Logs\r\nThe code snippets shown in Figure 7 show that the application steals the victim device’s information, such as:\r\nhttps://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/\r\nPage 4 of 10\n\nReading the device’s phone number(s).\r\nReading Android Operating System version Information.\r\nReading device details such as brand name, model, serial number, etc.\r\nChecking for the presence of external storage on the device.\r\nFigure 7 – Code to Read Device Information\r\nThe code snippets shown in Figure 8 show that the application steals the account details being used on the device.\r\nFigure 8 – Code to Read Accounts Information\r\nThe code snippets shown in Figure 9 show that the application also steals image and audio files from the device.\r\nFigure 9 – Code to Access Pictures and Audio\r\nThe code snippets in the figure below show that the application collects the data from the device and writes it in a\r\ntext file.\r\nhttps://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/\r\nPage 5 of 10\n\nFigure 10 – Code to Write Collected Data in Text File.png\r\nThe snippets below indicate the application’s code flow to upload the data on TA’s Command and Control (C\u0026C)\r\nserver.\r\nFigure 11 – Code to Upload the Data to TA’s C\u0026C Server\r\nThe snippet below shows that the application performs activities with commands defined by the TA(s).\r\nhttps://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/\r\nPage 6 of 10\n\nFigure 12 – Commands Defined by the TA(s)\r\nThe table below highlights some of the commands defined by the TA.\r\nPermissions Description\r\nref: Sends signal to C\u0026C server\r\ndown Uploads /.temp-file.dat file\r\nUriP Writes path /.temp-file.dat to /result-file.dat file and upload to C\u0026C\r\n“” Writes results to /result-file.dat and upload to C\u0026C\r\nTable 2 – Commands Description\r\nTraffic Analysis\r\nDuring traffic analysis of the application, we identified that it continuously communicates with the TA’s C\u0026C server\r\nhxxp://haeundaejugong[.]com/data/jugong/do.php?type=command\u0026direction=receive\u0026id=1295c8887ec39859_hd.\r\nThe below figure shows that the application uploads sensitive data such as contacts, call logs, and SMSs from the\r\ndevice to TA’s C\u0026C.\r\nFigure 13 – Uploads Sensitive Data to the TA’s C\u0026C\r\nThreat Actor Infrastructure Analysis\r\nhttps://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/\r\nPage 7 of 10\n\nCyble Research Labs has also identified that the TA’s infrastructure was hosted in South Korea (KR)\r\nFigure 14 – Location of Domain Hosted\r\nWe also noticed the TTL value of the MX record of http[:]//haeundaejugong.com is 60, which is generally an\r\nindicator of Fast-Flux behavior.\r\nFigure 15 – TTL Value of MX record of TA’s Domain\r\nConclusion\r\nChinotto is spyware targeting specific users to steal sensitive information such as contacts, SMSs, call logs and files.\r\nIt also has the capability to record audio from the device without the victim’s knowledge.\r\nThreat Actors constantly adapt their methods to avoid detection and find new ways to target users through\r\nsophisticated techniques. Such malicious applications often masquerade as legitimate applications to confuse users\r\ninto installing them.\r\nUsers should install applications only after verifying their authenticity and install them exclusively from the official\r\nGoogle Play Store to avoid such attacks.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nHow to prevent malware infection?\r\nDownload and install software only from official app stores like Google Play Store.\r\nhttps://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/\r\nPage 8 of 10\n\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or password for unlocking the mobile device where\r\npossible.\r\nBe wary of opening any links in SMSs or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nHow to identify whether you are infected?\r\nRegularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.\r\nKeep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.\r\nWhat to do when you are infected?\r\nDisable Wi-Fi/Mobile Data and remove SIM Card as in some cases the malware can re-enable the Mobile\r\nData.\r\nPerform Factory Reset.\r\nRemove the application in case factory reset is not possible.\r\nTake a backup of personal media Files (excluding mobile applications) and perform a device reset.\r\nWhat to do in case of any fraudulent transaction?\r\nIn case of a fraudulent transaction, immediately report it to the concerned bank\r\nWhat should banks do to protect their customers?\r\nBanks and other financial entities should educate customers on safeguarding themselves from malware\r\nattacks via telephone, SMSs, or emails. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1476 -Deliver Malicious App via Other Means\r\nExecution T1575 -Native Code\r\nPersistence T1402  -Broadcast Receivers\r\nCollection T1412 -Capture SMS Messages\r\nCollection T1432 -Access Contacts List\r\nCollection T1433 -Access Call Log\r\nCollection T1533 -Data from Local System\r\nhttps://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/\r\nPage 9 of 10\n\nIndicators Of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\n8fb42bb9061ccbb30c664e41b1be5787be5901b4df2c0dc1839499309f2d9d93 SHA256\r\nMalicious\r\nAPK\r\nhxxp[:]//haeundaejugong.com/data/jugong/do.php?\r\ntype=file\u0026direction=send\u0026id=1295c8887ec39859_hd\r\nURL TA’s C\u0026C\r\nSource: https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/\r\nhttps://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.cyble.com/2021/12/06/apt37-using-a-new-android-spyware-chinotto/" ], "report_names": [ "apt37-using-a-new-android-spyware-chinotto" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434538, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/91a1125eee7e0e691ef3ad773a09c8c2163c6b3b.pdf", "text": "https://archive.orkl.eu/91a1125eee7e0e691ef3ad773a09c8c2163c6b3b.txt", "img": "https://archive.orkl.eu/91a1125eee7e0e691ef3ad773a09c8c2163c6b3b.jpg" } }