McAfee analyzed Android spyware delivery against North Korean defectors, journalists, and groups assisting defectors, with attackers using KakaoTalk, Facebook, email, and Google-shortened links to push malicious APKs. The droppers posed as apps such as “Pray for North Korea” and “BloodAssistant,” checked whether the device was already infected, phished for accessibility permissions, overlaid the screen to hide installation steps, and installed a Trojan payload. The Trojan used cloud services including Dropbox and Yandex for command-and-control, uploaded device information, downloaded command files and dex modules, and supported capabilities such as SMS and contact theft, call-recording variants, and KakaoTalk chat-log capture. McAfee found Korean-culture-themed account names, a North Korean dialect term, a North Korean IP address in test logs, and a deleted “sun Team Folder,” but stated it could not confirm the actor and that the possible Sun Team was not linked to known cybercrime groups.