This blog post is authored by Warren MercerPaul RascagneresVitor Ventura and with contributions from Jungsoo An.


Several days ago, EST Security published a post concerning a fake antivirus malware targeting the Android mobile platform. In the Korean media, it was mentioned that there could be a link between this Android malware and Group 123. Talos decided to investigate this malware. And due to our reporting and history of following of Group 123, we discovered some interesting elements.

Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and record the victim’s phone calls. One variant uses a known Android exploit (CVE-2015-3636) in order to get root access on the compromised Android device. The data of both variants was sent using an HTTP POST to a unique command and control (C2) server. The ability to record calls was implemented based on an open-source project available on GitHub. We named this malware “KevDroid.”

Another RAT (this time targeting Windows) was identified hosted on the command and control server in use by KevDroid. This malware specifically uses the PubNub platform as its C2 server. PubNub is a global data stream network (DSN). The attackers use the PubNub API in order to publish orders to the compromised systems. This behaviour explains why we named it “PubNubRAT.”

At this time, we cannot identify a link between these samples and the Group 123 sample. We only identified a bundle of tactics, techniques and procedural elements that were too weak to identify a real link.




Talos Group

Talos Security Intelligence & Research Group