You download a game. It looks legit. It installs without a hitch. And then? Your private life starts leaking out, piece by digital piece. This isn’t science fiction anymore; it’s the latest gambit from the North Korean hacker collective APT37, aka ScarCruft. They’ve managed to take their established Windows backdoor, BirdCall, and give it a nasty Android makeover, slithering it onto devices through a seemingly innocent video game platform.
Seriously, the audacity. We’ve seen supply chain attacks before, of course, but this one feels particularly insidious because it’s targeting something many people—especially in certain regions—turn to for entertainment or a quick download: games.
Is This Just Another Mobile Trojan?
ESET researchers, bless their diligent souls, have been tracking this for a bit, noting that ScarCruft cooked up this Android version around October last year and has already churned out at least seven iterations. The delivery mechanism? A Chinese site called sqgame[.]net. Now, this platform hosts games for Android, iOS, and Windows, but here’s the kicker: only the Android and Windows versions seem to be the actual targets for ScarCruft’s malicious payload. And get this, the site apparently caters to Koreans in China’s Yanbian region—a place with historical ties and a known transit point for North Korean defectors. Coincidence? I doubt it.
The Windows version of BirdCall has been around since 2021, capable of logging keystrokes, grabbing screenshots, hoovering up files, and generally being a digital pest. But this new Android variant? It’s a whole other level of intrusive. It’s not just spying; it’s data harvesting on steroids.
It pulls your IP geolocation, snatches your contact list, call logs, and SMS messages. It wants your device’s OS, kernel, whether it’s rooted (a red flag for more advanced hacking), your IMEI, MAC address, IP address, and network specifics. It’s also sniffing around battery temperature, RAM, storage, and even the file extensions you’re working with—think .jpg, .doc, .pdf, .p12. Basically, anything that might be sensitive or useful for further exploitation.
But the real kicker? It’s set to record audio via your microphone every single night between 7 PM and 10 PM local time. And to keep itself from being kicked off the device, it plays a silent MP3 on a loop—a sneaky way to keep its process alive and undetected. Lovely.
The Missing Pieces (For Now)
Now, before you panic and ditch your phone, keep in mind that the Android version doesn’t have all the spooky toys from its Windows sibling. For now, it’s missing stuff like executing shell commands, proxying traffic, grabbing data from browsers and messaging apps, deleting files, or outright killing processes. ScarCruft is likely still building this thing out, adding features with each new version. They’re not exactly known for being lazy hackers, are they? Think THUMBSBD for air-gapped systems, KoSpy (which, hilariously, once made it onto Google Play), M2RAT, and the Dolphin mobile backdoor. They’ve got a whole arsenal.
So, while the Android BirdCall might be slightly less capable than its Windows cousin today, it’s still a significant threat. It’s a well-documented backdoor being actively developed and deployed by a persistent nation-state actor.
So, Who’s Actually Making Money Here?
This is where my cynical veteran journalist brain kicks in. Who profits from this elaborate scheme? Beyond the obvious strategic intelligence gains for North Korea, consider the platform itself, sqgame[.]net. Is it complicit? Is it compromised? Or is it just a victim of its own lax security? Either way, it’s being used as a vector. For ScarCruft and APT37, the ‘money’ isn’t necessarily direct cash. It’s about intelligence, use, and maintaining a persistent presence for espionage. They’re not selling this malware on the dark web; they’re using it for state-sponsored purposes. The cost of developing and maintaining these custom tools is significant, but the payoff for a government looking for intel on defectors, regional activities, or whatever else they deem important, is likely far greater. The real victims here are the users who trust these platforms with their data and their privacy.
The Usual Suspects and Advice
The advice, as always, is depressingly simple: only download software from official app stores and from publishers you absolutely, unequivocally trust. In this digital Wild West, that’s about the only line of defense many of us have against these increasingly sophisticated, and frankly, terrifying, threats.
🧬 Related Insights
- Read more: 2026 Threat Landscape: Attackers Faster Than Defenders
- Read more: Mobile App Permissions: Still Your Last Defense [5 Red Flags]
Frequently Asked Questions
What is BirdCall malware? BirdCall is a backdoor malware family primarily associated with the North Korean hacking group APT37 (ScarCruft). While it has Windows variants that can steal files, record keystrokes, and take screenshots, a new Android version has emerged that functions as spyware, collecting extensive device and personal data.
How is BirdCall malware delivered on Android? The ScarCruft group is delivering the Android version of BirdCall by trojanizing APK files found on game download websites, such as sqgame[.]net. Users download what they believe to be a legitimate game, but it contains the malicious backdoor.
What kind of data does the Android BirdCall variant collect? The Android variant can extract IP geolocation, collect contact lists, call logs, SMS messages, and detailed device information (IMEI, MAC address, etc.). It also monitors battery status, storage, and periodically takes screenshots and records audio during specific evening hours.
