Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer

Malware Analysis
1

Author: HyeongJun Kim | S2W TALON

Last Modified : Mar 13, 2025
Photo by Dmitry Ratushny on Unsplash

Executive Summary

  • (Threat Hunting) On January 21, 2025, a malicious app named “문서열람 인증 앱”(Document Viewing Authentication App) was identified through VirusTotal and analyzed.
  • (Malware) The malicious app was first signed on December 13, 2024. It decrypts the “security.db” file within the package using an XOR operation and dynamically loads a DEX file. Ultimately, it receives commands from the C2 server and performs malicious functions related to keylogging and information theft.
  • (Key Features) Based on the malicious app's name and the presence of Korean-language strings, it is suspected to target mobile device users in South Korea. This malware represents a previously unidentified type of threat, masquerading as a Document-viewing authentication app. A phishing page impersonating CoinSwap was found at the C2 Infrastructure, leading to its designation as DocSwap.
  • (Attribution) When DocSwap malware was first discovered, a phishing page impersonating CoinSwap was identified on the C2 IP address used for socket communication. However, as of February 27, 2025, accessing the C2 address displayed Naver’s favicon and the message “Million OK !!!!”, indicating a possible connection to the Kimsuky group.
  • (Attribution) S2W Threat Research and Intelligence Center TALON separately manages unidentified threat groups. Among them, attack groups linked to North Korea are tracked under the name puNK and the threat actors using the DocSwap malware have been designated as puNK-004

Introduction

On January 21, 2025, a malicious app named “문서열람 인증 앱” was identified through VirusTotal and analyzed. This malware decrypts an obfuscated APK file and executes the code from an internally stored DEX file.

During the APK decryption process, the LoadedApkPlugin open-source project was utilized, with modifications introducing an additional XOR operation to the original code.

Table 1. Comparison of Original Code and Malicious App Code

The decrypted APK file then loads and executes the DEX file. Ultimately, the app performs information theft functions, such as keylogging through accessibility services, file transfers via socket communication, camera manipulation, and audio recording.

Figure 1. Malicious App Execution Process

Detailed Analysis of DocSwap

Table 2. Malicious App Information

When the initial MainActivity is executed, the malicious app performs an XOR (0xC9) operation on the “security.db” file in a subdirectory. This process drops an APK file and loads the DEX file stored within it.

Figure 2. Decryption of the security.db File

The malicious app retrieves all permissions declared in the AndroidManifest.xml file and prompts the user to grant any unauthorized permissions. The permissions requested during runtime by this malware are as follows:

Table 3. List of Permissions Requested by DocSwap

Additionally, to perform keylogging, the malware repeatedly generates notifications to request accessibility permissions. (“To ensure proper functionality, please enable accessibility permissions”)

Figure 3. Accessibility Permission Request Notification

The malicious app’s “com.security.library.MainService” service is executed, and it uses the StartForeground API to generate a notification and maintain persistence. (“Tap to view more details or stop the app”)

Figure 4. Notification for Maintaining Persistence

The malicious app ensures that the malware runs even after a phone reboot by triggering the “com.security.library.MainService” service when boot-related intents occur. This service initializes socket communication and executes the overall malicious behavior.

Table 4. Registered Intent Filters in DocSwap

Once accessibility permissions are granted to the malicious app, the accessibility service is activated, and the keylogging function is executed. During keylogging, the package name of the app where the event occurred, the app’s icon, and the text associated with the event are transmitted to the C2 server. Additionally, this information is stored locally in the following path

  • /data/data/com.security.library/Security/download_{dd — mm-yyyy}.dat
Figure 5. Keylogging via Accessibility Service

The “com.security.library.MainService” service is responsible for socket communication and receiving commands to execute malicious activities. The IP and port for socket communication are hardcoded, and a total of 57 malicious commands have been identified in the implementation.

Socket Communication IP & Port: 204.12.253[.]10:6834

Table 5. List of Commands Received from C2 Server

Attribution

On February 21, 2025, when accessing the app’s C2 address, a phishing page masquerading as CoinSwap was observed. However, on February 27, 2025, it was noticed that the Naver favicon and the string “Million OK !!!!” appeared. Given that a similar characteristic was previously observed in phishing servers targeting Naver accounts of the Kimsuky group.

Table 6. C2 Server Image

S2W Threat Research and Intelligence Center TALON separately manages unidentified threat groups. Among them, attack groups linked to North Korea are tracked under the name puNK and the threat actors using the DocSwap malware have been designated as puNK-004. And the list of puNK groups currently being tracked by S2W TALON is shown in Table 7.

Table 7. Threat Group by puNK Classification

Conclusion

  • On January 21, 2025, a malicious app named “문서열람 인증 앱”(Document Viewing Authentication App) was identified. This app, a new type of malware not previously observed, impersonates a Document-viewing authentication app. Additionally, a phishing page masquerading as CoinSwap was found at the C2 address, leading to the app being named DocSwap.
  • The malicious app performs keylogging through accessibility services. Via socket communication with the C2 server, it receives malicious commands to carry out information theft functions such as camera recording, microphone recording, file downloading and deletion, among others.
  • On February 21, 2025, when accessing the app’s C2 address, a phishing page masquerading as CoinSwap was observed. However, on February 27, 2025, it was noticed that the Naver favicon and the string “Million OK !!!!” appeared. Given that a similar characteristic was previously observed in phishing servers targeting Naver accounts of the Kimsuky group.
  • S2W Threat Research and Intelligence Center TALON separately manages unidentified threat groups. Among them, attack groups linked to North Korea are tracked under the name puNK and the threat actors using the DocSwap malware have been designated as puNK-004.
  • The DocSwap malware disguises itself as a document viewing authentication app, tricking users into installing and clicking on it. Therefore, it is essential to be cautious and avoid executing links or email attachments that lead to downloading malicious apps with uncertain origins.

MITRE ATT&CK

Persistence

  • (T1398) Boot or Logon Initialization Scripts
  • (T1541) Foreground Persistence

Defense Evasion

  • (T1655.001) Match Legitimate Name or Location
  • (T1406) Obfuscated Files or Information

Discovery

  • (T1420) File and Directory Discovery
  • (T1418) Software Discovery
  • (T1426) System Information Discovery

Collection

  • (T1532) Archive Collected Data
  • (T1429) Audio Capture
  • (T1616) Call Control
  • (T1417.001) Keylogging
  • (T1636.002) Call Log
  • (T1636.003) Contact List
  • (T1636.004) SMS Messages
  • (T1512) Video Capture

Exfiltration

  • (T1646) Exfiltration Over C2 Channel

Appendix A. IoCs

Full IoC list can be found our github

File hash

DocSwap

  • bf134495142d704f9009a7d325fb9546db407971ade224e3718a84254e9ff03e (APK)
  • 0c84233ca90e5be15f6cdafa43d84207590b3fe522a01e20807915d3af715e9c (DEX)
  • 28e2221b90e9ef4c8e38593efd383dc218686fc38398bcf0a55c673420a63119 (DEX)
  • ae1721ce930929dfb060371cd0012aa38f29d2aac1dac761ec1d6302a46fa2fe (security.db, xor encrypted)
  • 18e92e57568ad5aad4635c932782ee1c44add6c0718e5c794f6e66a70f78a984 (security.db, xor decrypted)

Network

  • 204.12.253[.]10
  • hxxp://change.pi-usdt.o-r[.]kr
  • hxxp://hange.pi-usdt.o-r[.]kr

Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer was originally published in S2W BLOG on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer | by S2W | S2W BLOG | Mar, 2025 | Medium