article featured image


The North Korean cyberespionage group known as Kimsuky has been observed exploiting three different Android malware targeted specifically at South Korean users.

Kimsuky, also known as Velvet Chollima, Thallium, or Black Banshee, is a North Korean-based cybercrime group with operations going back to 2017. Back in August, an infection chain dubbed GoldDragon was deployed through a Windows backdoor and presented capabilities of stealing information and storing web browser login credentials.

This time, according to the researchers from South Korean cybersecurity company S2W, three Android malware strains have been identified as FastFire, FastViewer, and FastSpy.


FastFire disguises itself as a Google security plug-in, while the FastViewer malware pretends to be Hancom Office Viewer, a mobile viewer program that can read the Hangul documents (.hwp). FastSpy gets downloaded via FastViewer, and once launched it enables the threat actors to seize control, intercepting phone calls and messages, tracking users’ locations, capturing keystrokes, and even recording information from the phone’s camera, microphone, and speaker.

FastSpy is developed based on the source code of AndroSpy, a remote-control tool for Android devices that was released as an open source.


According to The Hacker News, FastSpy abuses the accessibility API obtained from FastViewer to get additional privileges without the user’s consent. If FastSpy asks specific permissions for malicious behaviors, a pop-up window is displayed. However, if FastSpy automates the clicking of the “Agree” button no actual interaction with users is required. This method resembles that of MaliBot.

As a way of preventing getting their Android infected and subsequently becoming a victim to cybercrime, users are urged to completely avoid downloading apps or program files from unreliable third-party sources, as well as exercise caution as to not fall for phishing attempts when browsing various webpages.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Mihaela Popa


Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo