APT37 BirdCall Android supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
The APT37 campaign now delivers a new Android variant of BirdCall through trojanized APKs on sqgame[.]net, expanding the operation beyond its known Windows foothold. The supply-chain path can reach users who trust the game platform, raising the risk of spyware collection and cross-platform compromise. The Android build was created around October 2024 and had at least seven versions. Targeting focused on Android and Windows users, including Koreans in the Yanbian region.
Related Happenings
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/Service
First: 13.05.2026 09:55
Last: 13.05.2026 09:55
Sources 1
About this happening:
**Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/ServiceAbout this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android 17 expands platform security and privacy protections
Security Tool/Service
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware Activity
First: 11.05.2026 12:03
Last: 11.05.2026 12:03
Sources 1
About this happening:
The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
TrickMo Android banking malware adds TON-based covert command-and-control
Malware ActivityAbout this happening: The **TrickMo Android banking malware** has added **TON-based covert command-and-control**, making its operator infrastructure harder to identify, block, or take down for victims...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
Campaign
First: 08.05.2026 18:08
Last: 08.05.2026 18:08
Sources 1
About this happening:
The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
CampaignAbout this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
Sqgame[.]net gaming platform hit by network compromise
Incident
First: 05.05.2026 18:00
Last: 05.05.2026 18:00
Sources 1
About this happening:
The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
Sqgame[.]net gaming platform hit by network compromise
IncidentAbout this happening: The **sqgame[.]net** gaming platform was **compromised**, and its **Windows** and **Android** software were **trojanized** to deliver malicious code to users, putting a regional e...
Timeline
-
05.05.2026 12:04 2 articles · 22d ago
ESET reports APT37 BirdCall Android supply-chain campaign
Initial DisclosureESET identified a supply-chain campaign by APT37, also known as ScarCruft and Ricochet Chollima, that delivered a previously undocumented Android variant of BirdCall through trojanized APKs on sqgame[.]net, a game site used in the Yanbian region of China. The malware was created around October 2024, developed in at least seven versions, and broadened BirdCall from its known Windows foothold to Android spyware that collects device, contact, call-log, SMS, screenshot, audio, and file data while ScarCruft also targeted Windows systems.
Show sources
- ScarCruft hackers push BirdCall Android malware via game platform — www.bleepingcomputer.com — 05.05.2026 12:04
- ScarCruft hackers push BirdCall Android malware via game platform — www.bleepingcomputer.com — 05.05.2026 12:04