DocSwap Android Malware Threat Overview

DocSwap is a newly uncovered Android malware strain attributed to the North Korea–linked threat actor Kimsuky. First reported in December 2025, the malware is distributed through QR-code phishing campaigns that impersonate legitimate logistics and customs notifications, particularly those associated with the South Korean delivery company CJ Logistics. Unlike ransomware, DocSwap does not encrypt files or extort victims for payment. Instead, it is designed for covert surveillance, credential theft, and long-term access to compromised mobile devices.

Information on “DocSwap Android Malware”

Infection Vector and Delivery Technique

The infection chain typically begins with smishing messages or phishing emails posing as shipment updates or customs security alerts. Victims are directed to a malicious website that displays a QR code when accessed from a desktop device. Scanning this QR code on an Android phone redirects the user to a page prompting them to install a supposed shipment-tracking or security verification application.

To bypass Android’s default security warnings, the attackers falsely claim that the application is an official release required to comply with international shipping or customs regulations. Once installed, the application decrypts and loads an embedded, encrypted APK payload and registers a malicious background service without the user’s awareness.

Capabilities and Post-Infection Behavior

• DocSwap deploys a fully featured remote access trojan, granting attackers persistent control over the infected device.
• The malware can log keystrokes, intercept SMS messages, and capture one-time passwords used for two-factor authentication.
• Additional capabilities include recording audio, activating the camera, collecting location data, and accessing contacts and call logs.
• The trojan supports remote command execution and file upload/download operations.
• To reduce suspicion, the app displays legitimate CJ Logistics tracking pages while malicious activity continues in the background.

Threat Context and Risk Assessment

DocSwap highlights a broader shift toward mobile-centric espionage campaigns that exploit the widespread use of QR codes in everyday business operations. By redirecting victims from secured corporate environments to personal Android devices, attackers can bypass traditional email filtering and endpoint protection mechanisms. This technique is particularly effective in logistics, supply chain, and compliance-driven industries where QR codes are scanned frequently as part of routine workflows.

Conclusion

Although DocSwap is not ransomware, it represents a significant cyber threat due to its stealth, persistence, and extensive surveillance capabilities. Successful infections can lead to credential compromise, unauthorized access to corporate systems, and prolonged espionage activity without immediate detection.

As specialists in high-impact cyber incidents, we support organizations facing advanced threats through rapid containment, investigation, and response via our Incident Response Retainer. Early identification and decisive action remain critical to limiting exposure and preventing further escalation.

Last updated on: December 19, 2025