The North Korea–linked Kimsuky group is using QR code phishing to trick users into installing DocSwap malware disguised as delivery applications.
Security researchers have uncovered a new mobile malware campaign linked to the Kimsuky threat group, in which attackers distribute DocSwap Android malware through QR code phishing attacks. The campaign disguises malicious apps as legitimate delivery services, exploiting user trust in everyday mobile applications.
The attack begins with phishing messages delivered via email, messaging platforms, or printed materials containing QR codes. These messages claim to relate to missed deliveries, shipping updates, or package confirmations. When victims scan the QR code, it redirects them to a fake website that closely resembles an official app store or delivery service portal.
The site prompts users to download what appears to be a delivery tracking application. However, the downloaded app contains the DocSwap malware. Once installed, the malware requests excessive permissions, often under the guise of enabling tracking features or notifications. As a result, users unknowingly grant the malware access to sensitive device functions.
DocSwap focuses on data collection and surveillance. It can access files, monitor device activity, and extract stored information. Researchers warn that the malware also enables remote command execution, allowing attackers to expand their control over infected devices. This capability makes DocSwap particularly valuable for long-term espionage operations.
The use of QR phishing represents a strategic shift. QR codes bypass traditional link-scanning protections and appear more trustworthy to users. Moreover, mobile users tend to act quickly when scanning codes, which reduces scrutiny. Consequently, attackers achieve higher success rates with minimal effort.
Security experts advise users to avoid scanning QR codes from unsolicited messages. They also recommend installing apps only from official app stores and reviewing permissions carefully before approval. Keeping devices updated and using mobile security solutions further reduces risk.
This campaign highlights how threat actors adapt familiar techniques to new platforms. As QR codes become more common, attackers will continue abusing them. User awareness remains the strongest defense against these evolving mobile threats.