North Korean hackers trojanize Android games in espionage supply-chain attack

North Korean-linked ScarCruft quietly turned a game platform into an espionage trap, and the risk for mobile players is bigger than a single bad APK. ESET said the campaign, which was probably running since late 2024, hit a video game platform built around Yanbian-themed games and used a malicious update on the Windows client to drop RokRAT, then BirdCall, while Android games on the same platform were trojanized with a new Android BirdCall backdoor.

That matters because the target was not random. ESET said the platform served ethnic Koreans living in Yanbian, China, a region it also described as a crossing point for North Korean refugees and defectors. ScarCruft, also known as APT37 or Reaper, has been active since at least 2012 and is widely assessed as a North Korean espionage group. MITRE ATT&CK likewise describes APT37 as North Korean state-sponsored.

For ordinary mobile players, the danger is the supply chain. If a game is sideloaded or updated outside a trusted store, the install can look normal while the payload is not. ESET said the Android BirdCall variant could collect contacts, SMS messages, call logs, documents, media files and private keys. It could also take screenshots and record surrounding audio, turning a game phone into a surveillance device.

The scale of that Android effort makes the story sharper. ESET said the mobile BirdCall version had been actively developed over several months, with at least seven versions deployed. That kind of iteration suggests this was not a one-off lure but a live operation tuned for persistence, collection and stealth. ESET also noted that BirdCall itself was first discovered in 2021 as a Windows backdoor, where it already had broad spying capabilities.

The practical red flags are the ones players often ignore: a game that asks for SMS, Contacts, Phone, microphone or storage access when it has no clear reason to need them; an update pushed through a launcher or download page instead of a mainstream store; or a game build that suddenly wants screen-capture or accessibility-style privileges. If you installed anything suspicious, remove it immediately, check recently granted permissions, review installed apps from unknown sources, and change passwords for accounts used on that phone, especially anything tied to game logins or two-factor codes.

ESET has seen this pattern before. In February 2021, it documented Operation NightScout, a supply-chain attack on NoxPlayer that affected victims in Taiwan, Hong Kong and Sri Lanka. It has also warned that the Winnti Group, active since at least 2012, used trojanized video game software in supply-chain attacks. The message from this latest case is blunt: in mobile gaming, a bad download can cost far more than a lost match.