Researchers at cybersecurity firm ESET have attributed a sophisticated Android surveillance campaign to the North Korean state-sponsored hacking group APT37, also known as Ricochet Chollima. The campaign deployed a custom backdoor called BirdCall, hidden inside trojanized card game applications distributed by a company called Sqgame, targeting the ethnic Korean diaspora in China.
Who Is APT37?
APT37 (also tracked as Reaper, Group123, ScarCruft, and Ricochet Chollima) is a threat actor widely attributed to North Korea's Reconnaissance General Bureau. Unlike APT38 which focuses on financial theft, APT37's primary mandate is intelligence collection — particularly targeting individuals and organizations of political interest to Pyongyang.
Historical APT37 campaigns have targeted:
- South Korean government officials and journalists
- North Korean defectors
- Human rights organizations
- Members of the Korean diaspora abroad
The targeting of ethnic Koreans in China — known as the Joseonjok community — is consistent with APT37's historical interest in monitoring Korean-speaking populations outside the peninsula who may have connections to defector networks or South Korean interests.
The BirdCall Backdoor
The malware, dubbed BirdCall by ESET, is a full-featured Android backdoor distributed by embedding it inside legitimate-looking card game apps attributed to a company called Sqgame. The games themselves appear functional, reducing suspicion while the backdoor operates silently in the background.
Capabilities
Based on ESET's analysis, BirdCall is capable of:
| Capability | Description |
|---|---|
| Contact harvesting | Exfiltrates the victim's full contact list |
| SMS interception | Reads incoming and outgoing text messages |
| Call logging | Records call history including numbers and timestamps |
| Location tracking | Continuously reports GPS coordinates to the C2 server |
| File exfiltration | Uploads targeted files from device storage |
| Microphone recording | Captures ambient audio on demand |
| Photo theft | Accesses and exfiltrates camera photos |
| App inventory | Enumerates installed applications |
Command and Control
BirdCall communicates with attacker-controlled infrastructure using encrypted channels, making traffic analysis challenging. The use of a card game theme provides social cover — users are less likely to notice battery drain or unusual network activity if they believe a game is running.
Distribution Method
The campaign used a supply chain-style deception: the malicious app was distributed through channels frequented by the Joseonjok community, potentially including:
- Third-party Android app stores popular in China (Google Play is not available in mainland China)
- Community forums and social media groups
- Direct messaging via platforms like WeChat or Telegram
The use of a gaming app as a delivery vehicle is a well-documented APT37 tactic — the group has previously used utilities like document readers and media players as trojan carriers.
Geopolitical Context
The targeting of ethnic Koreans in China carries significant geopolitical implications. China's Korean minority (approximately 2 million people, primarily in Jilin Province and Yanbian Korean Autonomous Prefecture) often serve as intermediaries for contact between North Korean defectors and South Korean NGOs. North Korea has a strong interest in mapping these networks.
This campaign likely serves multiple intelligence objectives:
- Identifying defector support networks that operate through China
- Monitoring communications between the diaspora and South Korean entities
- Tracking individuals who may be assisting defectors attempting to reach South Korea through China
Detection and Defense
For Individuals
- Only install apps from Google Play (where available) or verified official sources
- Review app permissions before installation — a card game should not require access to contacts, SMS, microphone, or location
- Use a mobile security product capable of detecting Android malware
- Be suspicious of apps distributed through informal channels, regardless of apparent legitimacy
For Organizations
- Deploy Mobile Device Management (MDM) solutions with app allowlisting
- Monitor for unusual data exfiltration patterns from mobile devices on corporate networks
- Brief staff on social engineering via mobile apps, particularly in regions with geopolitical risk
Indicators of Compromise
Organizations and individuals who believe they may have been targeted should consult ESET's published threat intelligence for specific file hashes, C2 domains, and network indicators associated with BirdCall.
ESET Attribution
ESET's attribution to APT37 is based on overlapping infrastructure, code similarities with previously documented APT37 tooling, and the targeting profile being consistent with the group's known intelligence collection mandate. The Sqgame app distribution mechanism aligns with the group's previous use of seemingly legitimate app developers as a distribution front.