{
	"id": "95336e94-cf08-4ca6-89ff-6c45d2b316d3",
	"created_at": "2026-04-06T01:31:25.40543Z",
	"updated_at": "2026-04-10T13:12:03.054722Z",
	"deleted_at": null,
	"sha1_hash": "a3feac0c2c205b40b7b8506a7357349f8f3aaab2",
	"title": "Spyware Disguised as Korean App Targets Asia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 721194,
	"plain_text": "Spyware Disguised as Korean App Targets Asia\r\nBy cybleinc\r\nPublished: 2021-09-03 · Archived: 2026-04-06 00:33:11 UTC\r\nA mobile app targeting both iOS and Android users primarily from China, Korea, and Japan conduct spyware\r\nactivities.\r\nA mobile app targeting both iOS and Android users primarily from China, Korea, and Japan was first identified\r\nby Lookout Threat Intelligence team in December 2020. The apps conduct spyware activities by offering escort\r\nservices while they steal personal information from the victim’s device. The goal of the attackers behind this data\r\nexfiltration of personal information is extortion or blackmail. \r\nThis particular type of scam is commonly called “Sextortion” and it typically targets multiple countries. These\r\napplications are often disguised as messaging, camera, and utility apps and are designed to exfiltrate data such as: \r\nContacts \r\nSMS data \r\nLocation information \r\nImages from device storage\r\nTechnical Analysis \r\nDuring our routine threat hunting exercise, Cyble Research Labs came across a Twitter post that mentioned spyware\r\nmasquerading as a Korean video app named “동영상“.  \r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/\r\nPage 1 of 7\n\nResearchers at Cyble downloaded the malware samples and performed a detailed\r\nanalysis, based on which, we determined that the malware is a variant of spyware and uploads the victim data to a\r\nCommand \u0026 Control (C2) server. \r\nAPK Metadata Information \r\nApp Name: 동영상 \r\nPackage Name: org.nnnmbook.sytyd \r\nSHA256 Hash: 0bda73046fd733164877071d11318ec6dd56a6ea4e773c70ed5a3c8f7a244478 \r\nFigure 1 represents the metadata information of the application. \r\nFigure 1 Metadata Information\r\nThe malware has a set of permissions, out of which the attackers leverage three permissions to collect contacts,\r\nSMSs, and the victim’s location. These dangerous permissions are listed in Table 1. \r\nPermissions  Description \r\nINTERNET   Allows applications to open network sockets \r\nREAD_PHONE_STATE   Read-only access to phone state \r\nREAD_CONTACTS  Access to phone contacts \r\nTable 1 Permission used for malicious activity\r\nUpon simulating the app, we observed that it initially requests users for permission to read contacts. Once the app\r\nhas this permission, it loads the app’s main activity, as shown in Figure 2. \r\nhttps://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/\r\nPage 2 of 7\n\nFigure 2 App Flow \r\nThe app uses the permissions granted by the users to perform these activities on the users’ devices:  \r\nThe app reads the contacts from the compromised device and stores them in the array list \r\nFigure 3 Reads and collects the contacts from the compromised device \r\nCollected contacts are stored in a JSON file and are uploaded to a C2 link as shown in figure below. \r\nhttps://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/\r\nPage 3 of 7\n\nFigure 4 Collected Contact data are stored in JSON file and uploaded via C2 link\r\nThe application also has a code function to read and collect SMS data from the compromised device. \r\nFigure 5 Collects Message details from the compromised device\r\nAs shown in Figure 6, the collected SMS details are stored in a JSON file and are uploaded to the C2 link as\r\nrepresented below. \r\nhttps://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/\r\nPage 4 of 7\n\nFigure 6 Uploads the collected SMS details to the C2 link\r\nUpon finding the functions being called, where the collected contacts and messages are sent via C2\r\nlink, the app further connects to the function that performs additional activities such as collecting albums and\r\ndevice details. \r\nFigure 7 Sensitive information collected from the app\r\nhttps://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/\r\nPage 5 of 7\n\nThe app synchronizes the user’s device data with the C2 login page used by the attacker to fetch the stored sensitive\r\ninformation. \r\nFigure 8 Collects the device data and uploads it to the C2 server\r\nConclusion  \r\nDespite having been around for a long time, spyware still poses a significant threat as the Threat\r\nActors responsible are constantly adapting and using various encryption techniques to avoid detection. This\r\nmakes the removal of spyware nearly impossible. Thus, users should exercise caution while installing applications. \r\nSAFETY RECOMMENDATIONS: \r\nKeep your anti-virus software updated to detect and remove malicious software.  \r\nUninstall the application if you find this malware on your device.  \r\nKeep your system and applications updated to the latest versions.  \r\nUse strong passwords and enable two-factor authentication.  \r\nDownload and install software only from trusted sites and official app stores.  \r\nVerify the privileges and permissions requested by apps before granting them access.   \r\nMITRE ATT\u0026CK® Techniques- for Mobile \r\nTactic  Technique ID  Technique Name \r\nDefense Evasion  T1406  Obfuscated Files or Information \r\nhttps://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/\r\nPage 6 of 7\n\nCredential Access/Collection  T1412  Capture SMS Messages \r\nDiscovery  T1421  System Network Connections Discovery \r\nDiscovery  T1426  System Information Discovery \r\nCollection  T1432  Access Contact List \r\nCollection  T1507  Network Information Discovery \r\nImpact  T1447  Delete Device Data \r\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\n0bda73046fd733164877071d11318ec6dd56a6ea4e773c70ed5a3c8f7a244478 \r\nSHA 256\r\nFile\r\nHash \r\nAnalysed\r\nMalicious\r\nfile \r\nhxxp://206.119.173[.]23:8080/m/uploadSms.htm  URL  C2 Link \r\nhxxp://206.119.173[.]23:8080/m/sychonizeUser.htm  URL  C2 Link \r\nhxxp://206.119.173[.]23:8080/m/openVip.htm  URL  C2 Link \r\nhxxp://206.119.173[.]23:8080/m/login.htm  URL  C2 Link \r\nhxxp://206.119.173[.]23:8080/m/uploadAlbum.htm  URL  C2 Link \r\nAbout Cyble  \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure on the dark web. Cyble’s prime focus is to provide organizations with real-time visibility into their digital\r\nrisk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes\r\nas one of the top 20 Best Cybersecurity Startups to Watch in 2020. Headquartered in Alpharetta, Georgia, and with\r\noffices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,\r\nvisit www.cyble.com.  \r\nSource: https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/\r\nhttps://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/"
	],
	"report_names": [
		"spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries"
	],
	"threat_actors": [],
	"ts_created_at": 1775439085,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3feac0c2c205b40b7b8506a7357349f8f3aaab2.pdf",
		"text": "https://archive.orkl.eu/a3feac0c2c205b40b7b8506a7357349f8f3aaab2.txt",
		"img": "https://archive.orkl.eu/a3feac0c2c205b40b7b8506a7357349f8f3aaab2.jpg"
	}
}