1. Home
  2. Software
  3. DocSwap

DocSwap

DocSwap is an Android malware first identified in 2025, and attributed to Kimsuky. DocSwap’s name is a combination of its Korean name "문서열람 인증 앱" (Document Viewing Authentication App) and a phishing page masquerading as CoinSwap at the C2 address. Based on DocSwap’s name and Korean-language strings, DocSwap potentially targets mobile device users in South Korea. Several variants of DocSwap exist; one of the latest samples indicates that the adversary added a native decryption function that decrypts an internal APK.[1][2]

ID: S9005
Type: MALWARE
Platforms: Android
Contributors: Wai Linn Oo, Kernellix Co.,Ltd.
Version: 1.0
Created: 16 February 2026
Last Modified: 23 April 2026
Version Permalink
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1453 Abuse Accessibility Features

Once accessibility permissions are granted, DocSwap has abused the Accessibility Service to execute a keylogging capability.[1][2]

Mobile T1437 .001 Application Layer Protocol: Web Protocols

DocSwap has sent a POST request to downcat.php while recording the access time and APK URL path.[1]
Mobile T1429 Audio Capture

DocSwap has the ability to start and stop audio recording.[1][2]

Mobile T1616 Call Control

DocSwap has requested for the CALL_PHONE permission to make phone calls.[1][2]

Mobile T1533 Data from Local System

DocSwap has checked for the WRITE_EXTERNAL_STORAGE permission.[1][2]

Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

DocSwap has registered the following intents to automatically execute MainService on device reboot: android.intent.action.BOOT_COMPLETED, android.intent.action.ACTION_POWER_CONNECTED, and android.intent.action.ACTION_POWER_DISCONNECTED.[1][2]

Mobile T1627 Execution Guardrails

DocSwap has checked if the victim has accessed the malicious URL from a PC. If so, DocSwap redirected the victim to scan the malicious QR code using a mobile device.[1]

Mobile T1646 Exfiltration Over C2 Channel

DocSwap has used a hardcoded IP address and port for C2 and exfiltration over socket communication.[2]

Mobile T1420 File and Directory Discovery

DocSwap has checked for the READ_EXTERNAL_STORAGE and MANAGE_EXTERNAL_STORAGE permissions.[1][2]

Mobile T1541 Foreground Persistence

DocSwap has checked for the FOREGROUND_SERVICE permission.[1] DocSwap has also used the StartForeground API to generate a notification saying "Tap to view more details or stop the app" in Korean and to maintain persistence.[2]

Mobile T1630 .002 Indicator Removal on Host: File Deletion

DocSwap has the ability to delete files and directories.[1][2]

Mobile T1544 Ingress Tool Transfer

DocSwap has the ability to upload and download files via socket communication.[1][2]

Mobile T1417 .001 Input Capture: Keylogging

When an accessibility event occurs, DocSwap has used a keylogger to record the target application’s icon, package name, event text, and timestamp.[1][2]

Mobile T1430 Location Tracking

DocSwap has the ability to collect location information and to start/stop location information from being sent to the C2 server.[1][2]
Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

DocSwap has masqueraded as a VPN application, using the same package name (com.bycomsolutions.bycomvpn) and having similar file structure, metadata and code routines as the legitimate application.[1]

Mobile T1575 Native API

DocSwap has decrypted the encrypted APK file security.dat using the decryptFile function in the native-lib library.[1]

Mobile T1406 Obfuscated Files or Information

DocSwap has used an obfuscated APK file and Base64-encoded URLs and files.[1][2]
Mobile T1660 Phishing

DocSwap has used phishing messages (smishing) and emails to gain initial access to devices.[1]
Mobile T1636 .002 Protected User Data: Call Log

DocSwap has requested for the READ_CALL_LOG and WRITE_CALL_LOG permissions and has the ability to send call logs.[1][2]

.003 Protected User Data: Contact List

DocSwap has requested for the READ_CONTACTS and WRITE_CONTACTS permissions and has the ability to send contact information.[1][2]
.004 Protected User Data: SMS Messages

DocSwap has checked for the READ_SMS and RECEIVE_SMS permissions.[1][2] DocSwap also has the ability to send SMS information, including the sender or receiver, the message content, and the timestamp.[2]
.005 Protected User Data: Accounts

DocSwap has the ability to send registered account information.[1][2]
Mobile T1418 Software Discovery

DocSwap has the ability to send installed application information, including application name, package name, installation timestamp, icon, and properties.[2]
Mobile T1426 System Information Discovery

DocSwap has checked for the LOCAL_MAC_ADDRESS permission and has the ability to send system information.[1][2]

Mobile T1422 System Network Configuration Discovery

DocSwap has checked for the LOCAL_MAC_ADDRESS and READ_PRIVILEGED_PHONE_STATE permissions.[1]
.002 Wi-Fi Discovery

DocSwap has checked for the ACCESS_WIFI_STATE and CHANGE_WIFI_STATE permissions.[1]
Mobile T1512 Video Capture

DocSwap has the ability to start and stop camera recording.[1][2]

References

  1. EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.
  1. Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.