ScarCruft hackers push BirdCall Android malware via game platform
ScarCruft hackers push BirdCall Android malware via game platform
Publish Date: 2026-05-05 05:04:00
Source Domain: www.bleepingcomputer.com
The North Korean hacker group APT37 has been delivering an Android version of a backdoor called BirdCall in a supply-chain attack through a video game platform.
While BirdCall is a known backdoor for Windows systems, APT37, also known as ScarCruft and Ricochet Chollima, has developed a variant for Android that doubles as spyware.
According to researchers at cybersecurity company ESET, the threat actor created BirdCall for Android around October 2024 and developed at least seven versions.
The attacks that ESET observed delivered the malware through sqgame[.]net, a Chinese site hosting games for Android, iOS, and Windows. However, the researchers found that only Android and Windows are targeted by the ScarCruft attacks.
The particular platform caters to Koreans in the autonomous Yanbian region in China, which acts as a crossing point for North Korean defectors and refugees.
Games on the compromised platform
Source: ESET
BirdCall spyware
BirdCall is a known malware family associated with ScarCruft and documented since 2021. The Windows version can record keystrokes, take screenshots, steal from the clipboard, exfiltrate files, and execute commands.
The campaign identified by ESET introduces a previously undocumented version of BirdCall developed for Android, which was delivered by trojanizing APKs on sqgame[.]net.
Trojanized version (right) vs clean APK (left)
Source: ESET
The Android variant of BirdCall has the following capabilities:
- Extracts IP geolocation information
- Collects contact list, call log, and SMS
- Collects device OS, kernel, rooted status, IMEI number, MAC address, IP address, and network info
- Sends to C2 info about battery temperature, RAM, and storage, cloud configuration, backdoor version, and file extensions of interest (.jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, and .p12)
- Periodically takes screenshots
- Records audio via the microphone from 7 pm to 10 pm local time
- Plays a silent MP3 in a…
