Spyware Disguised as Korean App Targets Asia
By cybleinc
Published: 2021-09-03 · Archived: 2026-04-06 00:33:11 UTC
A mobile app targeting both iOS and Android users primarily from China, Korea, and Japan conduct spyware
activities.
A mobile app targeting both iOS and Android users primarily from China, Korea, and Japan was first identified
by Lookout Threat Intelligence team in December 2020. The apps conduct spyware activities by offering escort
services while they steal personal information from the victim’s device. The goal of the attackers behind this data
exfiltration of personal information is extortion or blackmail. 
This particular type of scam is commonly called “Sextortion” and it typically targets multiple countries. These
applications are often disguised as messaging, camera, and utility apps and are designed to exfiltrate data such as: 
Contacts 
SMS data 
Location information 
Images from device storage
Technical Analysis 
During our routine threat hunting exercise, Cyble Research Labs came across a Twitter post that mentioned spyware
masquerading as a Korean video app named “동영상“.  
See Cyble in Action
World's Best AI-Native Threat Intelligence
https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/
Page 1 of 7

Researchers at Cyble downloaded the malware samples and performed a detailed
analysis, based on which, we determined that the malware is a variant of spyware and uploads the victim data to a
Command & Control (C2) server. 
APK Metadata Information 
App Name: 동영상 
Package Name: org.nnnmbook.sytyd 
SHA256 Hash: 0bda73046fd733164877071d11318ec6dd56a6ea4e773c70ed5a3c8f7a244478 
Figure 1 represents the metadata information of the application. 
Figure 1 Metadata Information
The malware has a set of permissions, out of which the attackers leverage three permissions to collect contacts,
SMSs, and the victim’s location. These dangerous permissions are listed in Table 1. 
Permissions  Description 
INTERNET   Allows applications to open network sockets 
READ_PHONE_STATE   Read-only access to phone state 
READ_CONTACTS  Access to phone contacts 
Table 1 Permission used for malicious activity
Upon simulating the app, we observed that it initially requests users for permission to read contacts. Once the app
has this permission, it loads the app’s main activity, as shown in Figure 2. 
https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/
Page 2 of 7

Figure 2 App Flow 
The app uses the permissions granted by the users to perform these activities on the users’ devices:  
The app reads the contacts from the compromised device and stores them in the array list 
Figure 3 Reads and collects the contacts from the compromised device 
Collected contacts are stored in a JSON file and are uploaded to a C2 link as shown in figure below. 
https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/
Page 3 of 7

Figure 4 Collected Contact data are stored in JSON file and uploaded via C2 link
The application also has a code function to read and collect SMS data from the compromised device. 
Figure 5 Collects Message details from the compromised device
As shown in Figure 6, the collected SMS details are stored in a JSON file and are uploaded to the C2 link as
represented below. 
https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/
Page 4 of 7

Figure 6 Uploads the collected SMS details to the C2 link
Upon finding the functions being called, where the collected contacts and messages are sent via C2
link, the app further connects to the function that performs additional activities such as collecting albums and
device details. 
Figure 7 Sensitive information collected from the app
https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/
Page 5 of 7

The app synchronizes the user’s device data with the C2 login page used by the attacker to fetch the stored sensitive
information. 
Figure 8 Collects the device data and uploads it to the C2 server
Conclusion  
Despite having been around for a long time, spyware still poses a significant threat as the Threat
Actors responsible are constantly adapting and using various encryption techniques to avoid detection. This
makes the removal of spyware nearly impossible. Thus, users should exercise caution while installing applications. 
SAFETY RECOMMENDATIONS: 
Keep your anti-virus software updated to detect and remove malicious software.  
Uninstall the application if you find this malware on your device.  
Keep your system and applications updated to the latest versions.  
Use strong passwords and enable two-factor authentication.  
Download and install software only from trusted sites and official app stores.  
Verify the privileges and permissions requested by apps before granting them access.   
MITRE ATT&CK® Techniques- for Mobile 
Tactic  Technique ID  Technique Name 
Defense Evasion  T1406  Obfuscated Files or Information 
https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/
Page 6 of 7

Credential Access/Collection  T1412  Capture SMS Messages 
Discovery  T1421  System Network Connections Discovery 
Discovery  T1426  System Information Discovery 
Collection  T1432  Access Contact List 
Collection  T1507  Network Information Discovery 
Impact  T1447  Delete Device Data 
Indicators of Compromise (IoCs):   
Indicators 
Indicator
type 
Description 
0bda73046fd733164877071d11318ec6dd56a6ea4e773c70ed5a3c8f7a244478 
SHA 256
File
Hash 
Analysed
Malicious
file 
hxxp://206.119.173[.]23:8080/m/uploadSms.htm  URL  C2 Link 
hxxp://206.119.173[.]23:8080/m/sychonizeUser.htm  URL  C2 Link 
hxxp://206.119.173[.]23:8080/m/openVip.htm  URL  C2 Link 
hxxp://206.119.173[.]23:8080/m/login.htm  URL  C2 Link 
hxxp://206.119.173[.]23:8080/m/uploadAlbum.htm  URL  C2 Link 
About Cyble  
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and
exposure on the dark web. Cyble’s prime focus is to provide organizations with real-time visibility into their digital
risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes
as one of the top 20 Best Cybersecurity Startups to Watch in 2020. Headquartered in Alpharetta, Georgia, and with
offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com.  
Source: https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/
https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/
Page 7 of 7