ESET researchers say APT37 created an Android variant of the BirdCall backdoor around October 2024 and developed at least seven versions.
APT37 (ScarCruft / Ricochet Chollima) expands BirdCall to Android
The North Korean-linked threat actor APT37 — also tracked under the names ScarCruft and Ricochet Chollima — has adapted BirdCall, a backdoor long associated with the group on Windows, into an Android spyware variant, according to analysis published by cybersecurity company ESET. BirdCall has been documented since 2021 on Windows, where it can perform wide-ranging espionage tasks; the Android build represents a clear extension of that toolset into mobile platforms.
Supply-chain delivery through a regional game platform: sqgame.net
ESET’s investigation found the Android BirdCall variant delivered via a supply-chain technique: trojanized APK files hosted on sqgame[.]net, a Chinese site that hosts games for Android, iOS, and Windows. The platform primarily serves Koreans in the autonomous Yanbian region of China — identified in the report as a local crossing point for North Korean defectors and refugees. Of the ScarCruft activity observed by ESET on the platform, only Android and Windows systems were targeted.
Android capabilities: extensive data collection and surveillance
The Android version of BirdCall operates as spyware with a broad set of data-collection and persistence features. ESET’s technical summary lists the following capabilities:
- Extracts IP geolocation information.
- Collects the device contact list, call log, and SMS messages.
- Harvests device identifiers and state: operating system and kernel information, rooted status, IMEI number, MAC address, IP address, and network details.
- Sends to command-and-control (C2) servers telemetry such as battery temperature, RAM and storage statistics, cloud configuration, backdoor version, and a list of file extensions of interest (.jpg, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .hwp, .pdf, .m4a, .p12).
- Periodically takes screenshots.
- Records audio via the microphone between 7 p.m. and 10 p.m. local time.
- Plays a silent MP3 in a continuous loop to prevent Android from suspending the malware’s process.
- Exfiltrates files from a configured directory on the device.
How the Android build differs from Windows BirdCall
ESET notes the Android variant does not yet implement all commands found in the Windows version. Missing functionalities include shell command execution, traffic proxying, targeted collection of browser and messenger data, file deletion and dropping, and process killing. By contrast, ESET describes the Windows infection chain beginning with a trojanized DLL (mono.dll) that downloads and executes RokRAT, which then deploys the Windows BirdCall payload.
What this means for technologists and end users in Yanbian
Technologists and security teams: The use of trojanized APKs on a regional game platform highlights a supply-chain vector that can reach specific communities. Teams monitoring Android telemetry and threat hunting for unusual C2 communications, the presence of silent audio loops, or anomalous accesses to contact lists and SMS archives will be watching the indicators ESET documented. The timeline — an Android variant born around October 2024 with at least seven versions — signals active development rather than a one-off experiment.
End users in the Yanbian region and wider Android user base: The platform sqgame[.]net specifically targets Koreans in Yanbian, a population the report identifies as having particular exposure via that site. ESET’s practical advice — to download software only from official marketplaces and trusted publisher sites — is the primary mitigation recommended in the published findings.
ScarCruft’s tooling is varied and persistent: ESET’s report also links the actor to other custom malware families, including THUMBSBD (aimed at air-gapped Windows systems), the KoSpy Android malware that previously reached Google Play, M2RAT used in targeted espionage, and the Dolphin mobile backdoor. The emergence of an Android BirdCall suggests the group continues to iterate its capabilities across platforms. Whether the Android build will acquire the Windows-only commands over time remains an open question; for now, defenders and users in affected communities are left to contend with a mobile backdoor that already captures a wide range of personal and device data.
