VYPR
researchPublished May 7, 2026· Updated May 17, 2026· 1 source

APT37 Targets Ethnic Koreans in China with 'BirdCall' Android Spyware

North Korean state-sponsored hackers known as APT37 have targeted ethnic Koreans in China with a sophisticated Android backdoor called 'BirdCall' distributed through a compromised mobile gaming platform.

The North Korean state-sponsored hacking group known as APT37 has been identified targeting ethnic Koreans in the Yanbian region of China—a border area often called "Third Korea"—using a sophisticated Android backdoor dubbed "BirdCall." Researchers at ESET discovered that the malware was distributed through a supply-chain attack involving a suite of card games from a developer called Sqgame The Record.

The attack mechanism relies on a compromised update process rather than the initial application download. Victims who downloaded the legitimate card games from the Sqgame website were later prompted to install a malicious update package. ESET investigators determined that the platform had been compromised since at least November 2024, allowing the attackers to deliver the BirdCall backdoor to unsuspecting users who installed the software directly via their web browsers, bypassing the Google Play store The Record.

Once installed, BirdCall grants APT37 extensive control over the compromised Android device. The malware is capable of exfiltrating sensitive personal data, including SMS messages, contact lists, call logs, and media files. Furthermore, the backdoor allows the threat actors to take screenshots, record audio via the device's microphone to eavesdrop on the user, and search external storage for specific file types. ESET identified seven distinct versions of the Android backdoor, which the group developed over several months The Record.

APT37, which has been active since 2012 and is allegedly linked to North Korea’s Ministry of State Security, has a history of focusing on espionage against South Korea and North Korean defectors. While BirdCall was originally identified as a Windows-based threat by vendors like AhnLab in 2021, this recent campaign highlights the group's expansion into mobile espionage. ESET reported that they attempted to contact Sqgame regarding the compromise in December 2025 but received no response; however, the researchers noted that the update package is no longer malicious The Record.

This campaign underscores the persistent threat posed by North Korean actors to vulnerable populations, particularly refugees and defectors residing in border regions. By leveraging supply-chain compromises to deliver spyware, APT37 continues to refine its methods for long-term surveillance. As mobile devices become primary tools for communication among these groups, the shift toward Android-based backdoors like BirdCall represents a significant evolution in the group's tactical capabilities The Record.

Synthesized by Vypr AI