Threat actors launched a new campaign using malicious Android applications that mimic a popular Korean delivery service. These apps employ artificial intelligence-powered obfuscation to bypass traditional antivirus detection and steal sensitive user information. The actors behind this operation leverage advanced knowledge of mobile security vulnerabilities, integrating several evasion strategies to operate undetected.
The campaign uses a deceptive delivery mechanism, appearing to be a legitimate package tracking application. Once users grant permissions, the malicious Android application presents an interface mirroring the genuine delivery service. It connects to authentic tracking websites, using randomly generated tracking numbers. This social engineering tactic establishes trust as the app conducts malicious activities in the background, posing a significant risk to victims.
ASEC security analysts identified the malware after observing consistent distribution patterns across multiple channels. Their investigation revealed that threat actors used AI-enhanced obfuscation techniques to mask the app’s functionality, complicating reverse engineering for security researchers.
Detection Evasion Through Intelligent Obfuscation
The applications demonstrate technical sophistication in their obfuscation methods. Developers applied AI-powered ProGuard obfuscation, transforming all class names, function identifiers, and variable names into meaningless eight-character Korean text strings. Unlike standard obfuscation, these random Korean characters significantly hinder pattern-based detection by automated security tools.
Resource names remained unmodified, indicating a selective obfuscation strategy. This selective strategy specifically hides the app’s core functionality while preserving structural integrity for normal operation.
Security researchers discovered the malware exfiltrates data from infected devices through compromised legitimate websites, which threat actors repurposed as command-and-control (C2) servers—central points attackers use to send commands and receive data. The actors hardcoded C2 server addresses into blogs on Korean portals, loading them dynamically upon application launch.
This technique creates an additional detection barrier. The malicious servers appear as benign web traffic to network monitoring systems, effectively concealing the data theft operation from security infrastructure.
Identified samples included five confirmed MD5 hashes, with associated URLs directing to compromised Korean domains used for data exfiltration. Security professionals should prioritize detecting and blocking these samples across their networks. They should also implement stricter application permission controls for delivery service applications.