KakaoTalk phishing was being used in South Korea to target North Korean defectors by impersonating a familiar contact and persuading victims to open a URL or install an app package. The malicious app masqueraded as “North Korea Prayer” and, once installed, monitored the device, stole sensitive personal information, and sent it to a command-and-control server. The infection chain included an overlay that forced an advertisement to the top of the screen and silently installed an unauthorized app. The excerpt names bbb.apk as a legitimate Google Play call-recording app, while aaa.apk stole device information and downloaded a DEX file that loaded in memory; custom.dex handled surveillance, data theft, and exfiltration.