A North Korean hacking group has hidden spyware inside the apps of a small regional gaming platform — and the targets are people who fled the regime. Researchers have linked the campaign to ScarCruft, a state-backed group with a long history of surveilling defectors. The discovery of BirdCall Android malware embedded in legitimate game downloads marks a troubling evolution in how North Korea tracks people beyond its borders.
A Gaming Platform Turned Surveillance Tool
The compromised platform is Sqgame, a website hosting digital card and board games popular in the Yanbian region of northeastern China. Yanbian sits in Jilin province along the North Korean border and holds one of the largest ethnic Korean communities outside the peninsula. It also serves as a key transit point for people escaping North Korea — which makes it an obvious target for Pyongyang’s intelligence apparatus.
Security researchers at ESET discovered the campaign after flagging a suspicious Android APK file on VirusTotal. When they traced it back to its source, they found it came directly from the official Sqgame website. The infected file on VirusTotal was identical to the one available for download on the site. A second game app hosted on the same platform was also infected. The campaign appears to have been running since late 2024.
What Is BirdCall and What Can It Do?
BirdCall is an Android backdoor previously linked to North Korean threat actors. It gives attackers deep access to a compromised device — far beyond what most people would consider a phone’s sensitive data.
Once installed, BirdCall Android malware can collect contacts, SMS messages, call logs, documents, media files, and private keys. It can also take screenshots and record ambient audio, effectively turning a phone into a listening device. The malware blends its command-and-control traffic with regular network traffic to avoid detection. In this campaign, the attackers used Zoho WorkDrive as their command-and-control server, though the malware was built to support pCloud and Yandex Disk as alternatives.
The Android version of BirdCall carries a subset of the capabilities found in its Windows counterpart — but what it does have is more than enough for targeted surveillance of individuals.
How the Attack Was Carried Out
Researchers believe ScarCruft did not gain access to the source code of the Sqgame games themselves. Instead, the group likely compromised the platform’s web server. From there, they recompiled the original APK files to include the BirdCall backdoor and re-uploaded them to the site.
This approach is known as a supply-chain attack. The victim downloads what looks like a normal, functioning game from an official source. Nothing about the experience signals danger. But in the background, the malware runs silently and begins collecting data.
It is a method that is difficult to defend against because the infection point is the legitimate platform itself — not a phishing link or a suspicious third-party store.
Who Is ScarCruft?
ScarCruft, also tracked as APT37 and Reaper, is a North Korean state-sponsored hacking group that has been active since at least 2012. Its primary focus has always been espionage — specifically, surveillance of people and organisations that pose a political threat to the Pyongyang government.
Past targets have included North Korean defectors, journalists, human rights activists, and government and military entities in South Korea. The group has also conducted operations across Asia, Europe, and the Middle East. ScarCruft is known for constantly refining its tools and shifting its delivery methods to stay ahead of detection.
The BirdCall Android malware campaign fits this pattern. Rather than targeting corporate networks or financial systems, the group went after a small regional platform used by ordinary people — people who, by virtue of where they live and who they are, make for valuable surveillance targets.
Why Yanbian?
The choice of Sqgame as a vector is not random. Yanbian is home to a significant ethnic Korean population and acts as one of the main routes for North Korean defectors moving through China. People in the region are likely to use Korean-language apps and platforms, making Sqgame a natural entry point.
ESET researchers concluded that the most probable goal of this campaign is surveillance of defectors. For North Korea, monitoring people who have left the country — and tracking their contacts, communications, and movements — is a long-standing priority. Digital surveillance has become a key part of that effort.
What This Means for Android Users
This campaign is a reminder that Android malware does not always arrive through obvious channels. It does not always come from a suspicious link or an unknown developer on a third-party store. Sometimes it comes from a platform that looks entirely legitimate — because it was, before the attackers got to it.
For most people, the practical takeaways are straightforward. Keeping devices updated, using security software, and being cautious about app permissions all reduce risk. A VPN also adds a layer of protection by encrypting traffic, which makes it harder for malicious software to send data back to a remote server undetected.
But for people in high-risk communities — defectors, activists, journalists covering North Korea — the threat is more direct. The BirdCall Android malware campaign shows that attackers are willing to compromise third-party infrastructure specifically to reach them.
Final Thoughts
The Sqgame supply-chain attack is a precise, targeted operation. ScarCruft did not cast a wide net. The group identified a platform used by a specific community, compromised it quietly, and waited. The BirdCall Android malware embedded in those game apps is not about financial gain — it is about knowing where people are, who they talk to, and what they say.
For anyone using Android devices and concerned about privacy, this case makes a strong argument for treating every app — even one from a familiar platform — as a potential risk. The line between a safe download and a surveillance tool can be thinner than it appears.
