A sophisticated Android malware operation has emerged, targeting mobile users worldwide with particular focus on South Korea. Called DocSwap, this nasty piece of work masquerades as a legitimate document viewer application while secretly stealing sensitive information. First detected on December 13, 2024, it’s been linked to a North Korean APT group known as puNK-004. Not exactly the Christmas present anyone wanted.
The malware employs some pretty clever tricks. It decrypts an internal “security.db” file using XOR operations and dynamically loads DEX files to execute its dirty work. Keylogging? Check. Data theft? Absolutely. It even maintains persistence through notifications and the StartForeground API. These hackers didn’t cut corners on functionality.
DocSwap’s command and control capabilities are extensive—supporting 57 distinct malicious commands. Remote audio recording, camera access, file manipulation. The works. It can even factory reset your device. Because why not completely ruin someone’s day?
Just what you need—malware with 57 attack functions ready to hijack your camera, reset your phone, and obliterate your digital life.
Distribution methods vary. Google Play Store, phishing emails, compromised websites—they’re throwing everything at the wall. The malware specifically targets users through fake document viewer promotions. Similar to other infostealer trojans, DocSwap utilizes silent operation techniques making detection extremely difficult for average users. Over 10,000 attack attempts were observed in just one week. That’s a lot of potential victims.
Security researchers have connected DocSwap to a CoinSwap phishing page, and it later displayed a Naver favicon—suggesting possible links to the Kimsuky group. S2W Threat Intelligence tracks this threat as puNK-004. This campaign particularly targets financial institutions due to their reliance on AI-driven services and mobile banking integrations. The campaign seems to exploit South Korea’s growing mobile ID adoption. Smart timing on their part.
For protection, users should implement strict app permission reviews and use reputable antivirus software. Regular system updates help too. And maybe—just a thought—don’t download random document viewing apps from sketchy sources? Enable Google Play Protect while you’re at it. The threat is real, and it’s targeting financial data. Your crypto wallet won’t protect itself. The malware requests extensive device permissions, including access to contacts, storage, and SMS messages, enabling complete surveillance of infected devices.
