## APT37's Mobile Malware Campaign Ethnic Koreans residing in the Yanbian region of China, near the North Korean border, have been targeted in a cyber espionage campaign. Cybersecurity researchers at **ESET** have attributed this activity to **APT37**, a hacking group believed to be affiliated with North Korea's Ministry of State Security.  The attack vector involved a modified version of a suite of card games from a company called **Sqgame**. The compromised games contained a backdoor, dubbed **BirdCall**, which granted attackers extensive access to victims' devices. ## BirdCall Backdoor: Functionality and Spread The **BirdCall** backdoor allows **APT37** to perform a range of malicious activities, including: * Taking screenshots * Recording calls * Stealing personal data (contacts, SMS texts, call logs, media files, private keys) Researchers initially believed **BirdCall** targeted only Windows devices, but an Android version was later discovered. **ESET** found seven different versions of the Android backdoor, indicating a sustained development effort. Victims typically downloaded the compromised games directly through a web browser, bypassing the **Google Play** store, according to **ESET** researcher Filip Jurčacko. The initial file downloaded was not malicious; the compromise occurred through a malicious update package delivered by the **Sqgame** platform. ## APT37's History and Targets **APT37** has been active since 2012, focusing primarily on espionage campaigns targeting South Korea and other Asian countries. Their targets have included government and military organizations, as well as North Korean defectors. The Windows version of **BirdCall** was previously identified by South Korean cybersecurity vendor **AhnLab** in 2021. **ESET** contacted **Sqgame** in December 2025 but did not receive a response. The malicious update package is no longer being distributed. Last year, researchers found another strain of Android spyware developed and used by **APT37** embedded in apps available on the **Google Play** store. In 2024, **APT37** reportedly targeted South Korean academic experts and a North Korea-focused news outlet.