Researchers said a team of hackers tied to North Korea recently managed to get the Google Play market to host at least three Android apps designed to surreptitiously steal personal information from defectors of the isolated nation.

The three apps first appeared in the official Android marketplace in January and weren’t removed until March when Google was privately notified. That’s according to a blog post published Thursday by researchers from security company McAfee. Two apps masqueraded as security apps, and a third purported to provide information about food ingredients. Hidden functions caused them to steal device information and allow them to receive additional executable code that stole personal photos, contact lists, and text messages.

The apps were spread to selected individuals, in many cases by contacting them over Facebook. The apps had about 100 downloads when Google removed them. Nation-operated espionage campaigns frequently infect a small number of carefully selected targets and keep the number small in an attempt to remain undetected. Thursday’s report is the latest to document malicious apps that bypassed Google filters designed to keep bad wares out of the Play market.

North Korea warms to Android

McAfee reported last November that it found malicious Android files that contained backdoors that were very similar to those used by a North Korean hacking group known as Lazarus. A so-called "advanced persistent threat group" that multiple researchers have tracked for years, Lazarus is credited with the 2014 breach of Sony Pictures that wiped almost a terabyte’s worth of data, a string of attacks on financial institutions (including an $81 million heist of a Bangladeshi bank in 2016), and the unleashing of the Wannacry worm (second attribution here), which shut down hospitals, train stations, and businesses worldwide.

Common traits between Lazarus and the Android malware McAfee reported in November included backdoor files that used the same seed to generate encryption keys and a similar way to communicate with control servers.

In January, McAfee reported finding malicious apps targeting North Korean journalists and defectors. Some of the Korean words found in the control servers weren’t used in South Korea but were used in North Korea. The researchers also found a North Korean IP address in a test log file of some Android devices that were connected to accounts used to spread the malware. McAfee said the developers didn’t appear to be connected to any previously known hacking groups. The researchers named the group Sun Team after finding a deleted folder called “sun Team Folder.”

The three apps McAfee reported Thursday contained the same developer email address used for the apps reported in January, a finding that established the same developers were responsible for all of them. Logs for the newer apps also used similar formats and the same abbreviations for various fields as those found in the apps reported in January. The three apps’ descriptions also contained Korean writing that appeared similarly awkward, and a Dropbox account that received pilfered data contained references to Jack Black and other celebrities who appeared on Korean TV.

In an email, McAfee Chief Scientist Raj Samani said company researchers right now believe the Sun Team is probably a separate group from Lazarus. The researchers base that assessment on different methods used in their campaigns. Samani said it’s possible Lazarus and the Sun Team may ultimately prove to be more connected than current evidence establishes. But McAfee researchers said, based on the language found in the Android apps and the cultural references, they strongly suspect that the Sun Team is based in North Korea.

“These features are strong evidence that the actors behind these campaigns are not native South Koreans but are familiar with the culture and language,” McAfee researchers wrote. “These elements are suggestive, though not a confirmation, of the nationality of the actors behind these malware campaigns.”