Severity: HIGH - State-Sponsored Supply Chain Backdoor Active on Android and Windows

North Korea-aligned threat actor ScarCruft (also tracked as APT37 and InkySquid) has successfully compromised a legitimate video game platform, injecting its components with a sophisticated backdoor called BirdCall. This is a textbook supply chain attack - users who downloaded or updated software from the compromised platform unknowingly installed a fully functional espionage backdoor on both Android and Windows devices. The immediate target appears to be ethnic Koreans in China, but the malware infrastructure, tactics, and delivery mechanism pose a direct and transferable threat to organizations anywhere that runs compromised third-party software - including across East Africa.

The Threat: What BirdCall Does

BirdCall is a multi-platform backdoor that gives attackers persistent, covert access to infected endpoints. Based on prior ScarCruft campaigns and the evolving capabilities of this malware family, BirdCall is designed to:

  • Exfiltrate files, credentials, and communications silently in the background
  • Execute remote commands on infected Windows and Android devices
  • Maintain persistence across reboots and software updates
  • Evade endpoint detection by masquerading as legitimate, signed application components
  • Harvest authentication tokens that can be replayed to access corporate networks and cloud platforms

What makes this attack particularly dangerous is the supply chain delivery vector. The malicious code was embedded inside a platform that users actively trusted and updated, meaning traditional "don't click suspicious links" advice provides zero protection here.

Impact Assessment for East Africa

East African organizations may not be the primary target of this specific campaign, but the supply chain attack model is now proven and replicable. ScarCruft and similar state-sponsored groups routinely retool successful techniques against new geographies and sectors. Here is why this matters directly to institutions in Kenya, Somalia, Ethiopia, and the wider Horn of Africa:

Financial Sector (Kenya, Ethiopia, Somalia)

Banks and microfinance institutions across East Africa rely heavily on third-party software vendors for core banking modules, mobile money integrations, and agent network tools. A single compromised vendor update pushed to Android devices used by bank agents or staff can hand attackers persistent access to internal systems. This directly threatens compliance with CBK's Prudential Guidelines on Cybersecurity and the Bank of Tanzania's ICT Risk Management Framework.

Government and GovTech Platforms

National ID systems, eCitizen portals, and e-government platforms across Kenya, Ethiopia, and Somalia are expanding rapidly - and increasingly depend on third-party software components. A BirdCall-style implant embedded in any government-facing platform update creates an undetected persistent presence inside national infrastructure. This is exactly the scenario Kenya's Computer Misuse and Cybercrimes Act 2018 was designed to address, but reactive legislation does not stop proactive attackers.

Critical Infrastructure and Telecom

Power utilities and telecom operators in the region run operational technology (OT) environments managed from Windows-based workstations. BirdCall's Windows payload targeting these endpoints is a direct path from a software supply chain compromise to operational disruption or espionage inside national grid management systems.

Immediate Actions - What Your Team Must Do Now

  • Audit all third-party software installed on Windows and Android devices across your organization. Flag any gaming, entertainment, or non-business-critical applications immediately and remove them from corporate devices.
  • Review your software supply chain policy. Every vendor and application used inside your network must be subject to formal approval, code signing verification, and periodic security review - especially before updates are deployed.
  • Deploy endpoint detection and response (EDR) tools capable of behavioral analysis on both Windows and Android endpoints. Signature-based antivirus will not catch BirdCall until definitions are updated - behavior-based detection catches it earlier.
  • Check for indicators of compromise (IOCs) associated with ScarCruft/APT37 campaigns. Your SOC team should be hunting for anomalous outbound connections, unexpected scheduled tasks, and new persistence mechanisms on endpoints right now.
  • Enforce a mobile device management (MDM) policy that restricts which applications can be installed on Android devices used for work. Personal-use apps on corporate or BYOD devices are an open supply chain attack surface.

DRONGO Recommendation

Supply chain attacks like BirdCall succeed because most organizations have no visibility into what their third-party software actually does once installed. DRONGO's Managed SOC service provides 24/7 behavioral monitoring across Windows and Android endpoints, with threat intelligence feeds specifically tuned for state-sponsored APT activity targeting African organizations. We help you see what your vendors are doing inside your network - before the damage is done.

Is your organization protected? Request a free security assessment.