North Korean state-sponsored threat operation Kimsuky also known as Thallium, Velvet Chollima, and Black Banshee
has been using the FastFire, FastSpy, and FastViewer Android malware strains in attacks against South Korean individuals, according to The Hacker News
Researchers from South Korean cybersecurity firm S2W discovered that FastFire and FastViewer impersonate a Google security plugin and "Hancom Office Viewer," respectively, while FastSpy is an AndroSpy-based remote access tool.
Android's accessibility API permissions are being exploited by both FastSpy and FastViewer malware strains, with FastSpy enabling user click automation for more extensive permissions. Deployment of FastSpy could result in device takeovers, phone call and text message collection, and user location monitoring, according to the report.
"Kimsuky group has continuously performed attacks to steal the target's information targeting mobile devices... In addition, various attempts are being made to bypass detection by customizing Androspy, an open source RAT," said researchers, who urged increased vigilance on more sophisticated Android device-targeted attacks as Kimsuky evolves its targeting technique.