BirdCall Android – MISRYOUM reports that ScarCruft used a game platform supply-chain to distribute an Android spyware backdoor called BirdCall.
A North Korean-linked hacking operation is using a supply-chain route to deliver Android malware, disguising a spyware backdoor as legitimate game software.
In this campaign. MISRYOUM reports that the ScarCruft group (also tracked as APT37) is pushing an Android version of BirdCall through a video game platform.. BirdCall has been known as a backdoor on Windows. but the Android variant adds spyware-style collection designed to monitor a device and siphon information.
MISRYOUM notes that the activity centers on the sqgame platform, which hosts mobile and desktop games.. The targeting appears selective: while the site includes Android and Windows offerings. the observed intrusion attempts focused on Android and Windows systems rather than every platform on the storefront.
Insight: Supply-chain attacks like this are particularly effective because they blur the line between “trusted” software and the malware hidden inside updates or packaged apps. Users may feel safer downloading games than running unfamiliar installer files, which attackers rely on.
The Android payload was trojanized into APKs distributed via the game platform. with development occurring around late 2024 and multiple versions created over time.. While the Windows BirdCall is capable of a broader range of operations. the Android variant prioritizes surveillance and data gathering rather than full command-and-control features.
According to MISRYOUM. the Android malware collects details such as device and network identifiers. contact and messaging data. and other system attributes.. It also takes periodic screenshots and records audio during a defined local-time window. then exfiltrates targeted files from the device based on extension types.
Insight: Even without every capability seen on Windows, an Android spyware backdoor can still be high-impact. Screenshots, audio capture, and harvesting personal data can expose both individuals and relationships, creating long-term risk beyond the initial infection.
For Windows, MISRYOUM says the intrusion flow involves a trojanized DLL that downloads and executes a separate payload before BirdCall is installed. The operation is known for maintaining an arsenal of custom malware across platforms, including prior Android threats and espionage-focused toolsets.
The practical takeaway from MISRYOUM is simple: users should download apps and games only through official marketplaces or trusted publisher channels, and avoid sideloading APKs from less familiar sources.
Insight: When threat actors can weaponize everyday categories like games, security hygiene needs to start at the source. Trusting distribution channels is no longer enough; reducing exposure to unofficial downloads limits attackers’ options from the outset.