North Korea's APT37 threat group, widely tracked under the aliases ScarCruft and Ricochet Chollima, has expanded its arsenal with a new Android variant of its long-standing BirdCall backdoor. According to researchers at ESET, the group weaponized a legitimate Chinese Android game platform to silently distribute the spyware, marking a significant escalation in the group's mobile targeting capabilities. The campaign highlights how state-sponsored actors continue to blur the line between supply chain compromise and targeted espionage.

A Familiar Backdoor Moves to Android

BirdCall is not a new name in the threat intelligence community. The malware family has been associated with ScarCruft since at least 2021, primarily deployed against Windows targets. Its Windows variant is a capable surveillance tool — recording keystrokes, capturing screenshots, stealing clipboard contents, exfiltrating files, and executing arbitrary shell commands on compromised machines.

What ESET uncovered is a previously undocumented Android port of BirdCall, developed around October 2024, with at least seven distinct versions identified during the investigation. The transition to Android represents a deliberate strategic expansion, giving APT37 persistent access to a class of devices that carry some of the most sensitive personal data available — contacts, messages, location, and microphone access.

The Attack Vector: A Trojanized Game Platform

The delivery mechanism is a classic supply chain intrusion. APT37 compromised sqgame[.]net, a Chinese website hosting games for Android, iOS, and Windows. The platform caters specifically to Korean-speaking users residing in the Yanbian autonomous region of China — a well-known transit corridor for North Korean defectors and refugees. This geographic and demographic targeting is consistent with APT37's historical focus on individuals with ties to the Korean peninsula.

ESET found that only Android and Windows game packages on the platform were trojanized. The attackers injected malicious code directly into otherwise functional APKs, making the infected apps difficult to distinguish from their clean counterparts on the surface. Users downloading what appeared to be legitimate games were instead installing a fully featured spyware implant.

BirdCall Android: Surveillance Capabilities in Detail

The Android variant of BirdCall is an extensive spyware tool, though it currently lacks some of the more advanced command-and-control features present in the Windows version. Confirmed capabilities include:

• IP geolocation extraction — pinpoints device location via network metadata
• Contact list, call log, and SMS collection — comprehensive communication surveillance
• Device fingerprinting — harvests OS version, kernel details, root status, IMEI, MAC address, IP, and network configuration
• Periodic screenshot capture — passive visual surveillance of device activity
• Audio recording between 7 PM and 10 PM local time — timed to capture likely evening conversations
• File exfiltration — targets a specified directory for data theft, with a focus on extensions including .jpg, .doc, .pdf, .hwp, and .p12
• C2 telemetry — reports battery temperature, RAM, storage, cloud configuration, and backdoor versioning to operator infrastructure
• Silent MP3 loopback — plays an inaudible audio track to prevent the operating system from suspending the malware process

The inclusion of .hwp files — the native document format of Hangul Word Processor, widely used in South Korea — strongly reinforces the campaign's targeting of Korean-speaking victims. The .p12 extension targets personal certificate files, suggesting interest in stealing cryptographic credentials or authentication material.

What the Android Version Is Missing

Compared to the Windows BirdCall implant, the Android variant currently lacks several capabilities. ESET noted that shell command execution, network traffic proxying, browser and messenger app data targeting, file deletion and dropping, and process termination are not yet implemented on Android. This gap suggests the Android port is still maturing, and future versions may close the feature disparity as the operators invest further development resources.

Windows Infection Chain: RokRAT as the Pivot

On Windows, APT37's infection chain follows a different path. The initial foothold is established through a trojanized DLL — specifically mono.dll — which is distributed via the same compromised platform. Once executed, the malicious DLL downloads and runs RokRAT, another well-documented ScarCruft tool, which in turn deploys the Windows version of BirdCall. This multi-stage approach gives the operators flexibility and makes attribution and detection more complex for defenders.

APT37's Broader Malware Ecosystem

BirdCall is just one tool in ScarCruft's extensive custom toolkit. The group has a documented history of developing highly specialized malware for specific operational requirements:

• THUMBSBD — designed to target air-gapped Windows systems, a rare and technically demanding capability
• KoSpy — an Android spyware that previously infiltrated the Google Play Store
• M2RAT — a targeted espionage implant used in selective attacks
• Dolphin — a mobile backdoor for persistent device access

The breadth of this arsenal reflects APT37's status as a well-resourced, state-sponsored group with clearly defined intelligence collection mandates tied to North Korean government interests.

Defensive Recommendations

The BirdCall campaign underscores a recurring security principle: third-party app stores and unofficial distribution platforms carry inherently higher risk than official marketplaces. Users — particularly those in regions targeted by state-sponsored threat actors — should observe the following precautions:

• Download applications exclusively from the Google Play Store or verified publisher websites
• Audit app permissions at installation time, and revoke microphone, contacts, or storage access for apps that do not legitimately require them
• Keep Android devices updated to ensure security patches are current
• Use a reputable mobile security solution capable of detecting trojanized APKs
• Be especially cautious when downloading software from regional or niche platforms, even when the content appears legitimate

Conclusion

The BirdCall Android campaign is a textbook example of how sophisticated APT actors evolve their tooling to follow their targets across platforms. By compromising a niche gaming platform serving a strategically relevant population, APT37 combined supply chain tactics with precision targeting — delivering spyware to exactly the demographic most relevant to North Korean intelligence objectives. ESET's findings serve as a timely reminder that mobile devices are high-value espionage targets, and that supply chain integrity extends well beyond enterprise software into the consumer app ecosystem.