NK hackers use fake Facebook accounts to lead defectors to malware in Google Play

North Korea’s upcoming talks with the US may be a sign it is opening up but the hermit kingdom isn’t willing to let its people off the hook just yet. 

Sun Team, a hacking group thought to be loyal to the hermit kingdom, is using stolen South Korean Facebook profiles and Android malware in Google Play to track defectors.

The combination of fake Facebook profiles used to spread links to malicious apps on Google Play is a refinement of previously discovered mobile attack techniques to spy on defectors. 

South Korean media in January reported hackers using the messaging app KakaoTalk and fake Facebook accounts to send targets Google’s URL shortener links, which led victims to bait apps that might be of interest to North Korean defectors and journalists. These included “Pray for North Korea” and a health care app called “BloodAssistant”. 

Both apps loaded a trojan that uploaded data to and received commands from accounts on Dropbox and Yandex, according to security firm, McAfee.