S2W Talon identified three Android malware families—FastFire, FastViewer, and FastSpy—while tracking Kimsuky mobile operations. The APKs disguise themselves as Google Security Plugin or Hancom Office Viewer; FastFire uses Firebase Cloud Messaging for command delivery, while FastViewer steals device data and downloads FastSpy, an AndroSpy-based remote access tool that communicates over TCP/IP. The report links the activity to Kimsuky through prior AppleSeed mobile activity, infrastructure overlaps, and mobile phishing against South Korean users, showing the group’s Android targeting has expanded beyond Windows-focused spear phishing.