Researchers at ENKI recently reported on an active campaign in which the North Korea-linked threat actor Kimsuky is distributing malicious Android applications using weaponized QR codes. The campaign relies on phishing websites and QR codes masquerading as legitimate services — such as logistics, delivery, or utility apps — to convince victims to scan, download, and install trojanized APKs. This technique represents a deliberate shift toward mobile-native delivery mechanisms that exploit user trust and bypass traditional email-centric security controls.
The malicious apps delivered through this campaign function as Remote Access Trojans (RATs), enabling attackers to maintain persistent access to compromised devices. The samples analyzed leverage encrypted payloads that are decrypted and loaded at runtime, allowing the malware to evade static inspection and complicate traditional detection approaches. By combining QR-based distribution with dynamic unpacking and RAT functionality, Kimsuky continues to evolve its tradecraft to better target mobile users and enterprise environments.
From a defensive standpoint, this campaign highlights the growing importance of QR codes as an attack vector. Users frequently scan QR codes without visibility into the underlying destination, making them an effective way to deliver malicious links or payloads directly to mobile devices. Zimperium Mobile Threat Defense (MTD) addresses this risk by detecting and blocking malicious QR codes, preventing users from being redirected to phishing pages or malware delivery sites before an infection occurs. This capability is especially critical as QR codes are increasingly used in corporate, retail, and logistics workflows.
Out of the publicly reported indicators of compromise associated with this campaign, 90 % are detected by Zimperium in a true zero-day fashion using our on-device dynamic detection engine. This ensures protection even when attackers rely on newly registered domains, fresh infrastructure, or previously unseen malware variants. This protection applies to both MTD and Mobile Runtime Protection (zDefend), protecting enterprises and enterprise applications from overlay abuse, tampering, and runtime manipulation that can occur once a device is compromised.
For enterprises, Kimsuky’s use of QR-based mobile malware delivery is particularly concerning. A single compromised device can expose corporate credentials, enable surveillance of business communications, or provide attackers with a foothold inside mobile-enabled workflows. By combining malicious QR code detection, zero-day malware protection, and runtime application defenses, Zimperium helps organizations stay protected against advanced mobile threats — even as adversaries adopt new delivery techniques to stay ahead of traditional security controls.