APT37 Targets Ethnic Koreans in China With Android BirdCall Malware

Executive Summary

North Korea's APT37 hacking group has been targeting ethnic Koreans in China's Yanbian region with a previously undocumented Android backdoor dubbed BirdCall, delivered through a compromised mobile game platform, according to researchers at ESET. The supply-chain attack compromised the website of Sqgame, a company that produces a suite of card games, since at least November 2024. Victims who downloaded the games via web browser and sideloaded them received a benign initial file, but a subsequent malicious update package deployed the BirdCall backdoor. The malware grants attackers the ability to record audio via the microphone, capture screenshots, log calls, steal SMS messages, exfiltrate contact lists, and extract private keys from external storage. ESET identified seven distinct versions of the Android BirdCall variant, indicating sustained development over several months. The campaign appears aimed at North Korean defectors and refugees living in the Yanbian region, which borders North Korea and is sometimes called "Third Korea."

Technical Analysis

ESET researcher Filip Jurčacko detailed the infection chain in a report published May 6, 2026. The attack begins when a victim visits the compromised Sqgame website and downloads an Android application package (APK) of a card game. The initial APK is clean — it contains no malicious code. However, the game platform's update mechanism was compromised, and a subsequent update package delivered the BirdCall payload. ESET noted that the update package is no longer malicious as of the time of their analysis, suggesting the attackers may have rotated infrastructure or the compromise was remediated.

BirdCall's Android variant is a full-featured remote access trojan (RAT). Upon first execution, it collects extensive device information and sends it to a command-and-control (C2) server. The malware can:

• Record audio via the device microphone, enabling eavesdropping on the victim's surroundings.
• Capture screenshots of the device screen.
• Record phone calls.
• Exfiltrate SMS messages, contact lists, and call logs.
• Steal media files (photos, videos, documents).
• Extract private cryptographic keys from external storage devices connected to the phone.
• Search attached external storage for specific file types.

The Android backdoor was developed iteratively over several months, with ESET finding seven distinct versions. This suggests active development and refinement of the malware's capabilities, likely in response to operational feedback or detection evasion.

The Windows version of BirdCall was first documented by South Korean security vendor AhnLab and others in 2021. The Android variant represents a significant expansion of APT37's mobile targeting capabilities. ESET noted that the group had previously deployed Android spyware through apps available on the Google Play store in 2025, targeting South Korean academic experts and a North Korea-focused news outlet.

ESET was unable to determine when the Sqgame website was first compromised. The researchers contacted Sqgame in December 2025 but received no response. The supply-chain attack vector — compromising a legitimate game distribution platform — is a tactic APT37 has used before, though typically against Windows targets.

Mitigations & Recommendations

Because the infection vector relies on sideloaded apps from a compromised third-party website, the primary mitigation is user education and policy enforcement. Defenders should:

• Advise users in at-risk communities (ethnic Koreans in border regions, North Korean defectors, academics focused on Korean affairs) to avoid downloading Android apps from outside official app stores, especially from lesser-known game platforms.
• Enable Google Play Protect on all Android devices, which can detect known malware variants even when apps are sideloaded.
• Monitor for unusual outbound network connections from Android devices to unfamiliar IP addresses, particularly those associated with North Korean infrastructure.
• Review app permissions regularly — BirdCall requires microphone, storage, and SMS permissions that legitimate card games would not need.
• For organizations with managed devices, deploy mobile device management (MDM) policies that block sideloading of apps from untrusted sources.

ESET did not provide specific indicators of compromise such as file hashes or C2 domains in the public summary. Defenders should consult the full ESET report for technical details.