Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

Dec 18, 2025Ravie LakshmananMalware / Mobile Security

The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express).

“The threat actor leveraged QR codes and notification pop-ups to lure victims into installing and executing the malware on their mobile devices,” ENKI said. “The malicious app decrypts an embedded encrypted APK and launches a malicious service that provides RAT capabilities.”

“Since Android blocks apps from unknown sources and displays security warnings by default, the threat actor claims the app is a safe, official release to trick victims into ignoring the warning and installing the malware.”

According to the South Korean cybersecurity company, some of these artifacts masquerade as package delivery service apps. It’s being assessed that the threat actors are using smishing texts or phishing emails impersonating delivery companies to deceive recipients into clicking on booby-trapped URLs hosting the apps.

Should the victim proceed to install the app, an APK package (“SecDelivery.apk”) is downloaded from the server (“27.102.137[.]181”). The APK file then decrypts and loads an encrypted APK embedded into its resources to launch the new version of DocSwap, but not before ascertaining that it has obtained the necessary permission to read and manage external storage, access the internet, and install additional packages.

“Once it confirms all permissions, it immediately registers the MainService of the newly loaded APK as ‘com.delivery.security.MainService,'” ENKI said. “Simultaneously with service registration, the base application launches AuthActivity. This activity masquerades as an OTP authentication screen and verifies the user’s identity using a delivery number.”

The shipment number is hard-coded within the APK as “742938128549,” and is likely delivered alongside the malicious URL during the initial access phase. Once the user enters the provided delivery number, the application is configured to generate a random six-digit verification code and display it as a notification, following which they are prompted to input the generated code.

As soon as the code is provided, the app opens a WebView with the legitimate URL “www.cjlogistics[.]com/ko/tool/parcel/tracking,” while, in the background, the trojan connects to an attacker-controlled server (“27.102.137[.]181:50005”) and receive as many as 57 commands that allow it to log keystrokes, capture audio, start/stop camera recording perform file operations, run commands, upload/download files, and gather location, SMS messages, contacts, call logs, and a list of installed apps.

ENKI said it also discovered two other samples disguised as a P2B Airdrop app and a trojanized version of a legitimate VPN program called BYCOM VPN (“com.bycomsolutions.bycomvpn”) that’s available on the Google Play Store and developed by an Indian IT services company named Bycom Solutions.

“This indicates that the threat actor injected malicious functionality into the legitimate APK and repackaged it for use in the attack,” the security company added.

Further analysis of the threat actor infrastructure has uncovered phishing sites mimicking South Korean platforms like Naver and Kakao that seek to capture users’ credentials. These sites, in turn, have been found to share overlaps with a prior Kimsuky credential harvesting campaign targeting Naver users.

“The executed malware launches a RAT service, capabilities, similarly to past cases but demonstrates evolved such as using a new native function to decrypt the internal APK and incorporating diverse decoy behaviors,” ENKI said.