Cyble reported that Kimsuky, also known as Black Banshee, Thallium, and Velvet Chollima, distributed a fake Korean Internet and Security Agency mobile security app through malicious emails. The APK used package name com.kisa.mobile_security and was detected as an Android/Spy.Agent.BQS variant, with similarities to Cerberus-style Android spyware. Once installed and granted permissions, the app ran background services and receivers to read SMS, phone state, storage, and package-usage data, track location, overlay other apps, send SMS messages, upload or download files, and control processes. The campaign fits Kimsuky’s broader North Korea-linked spearphishing and social-engineering tradecraft against South Korea, Japan, and U.S.-linked targets.