S9005: DocSwap
DocSwap is an Android malware first identified in 2025, and attributed to Kimsuky. DocSwap’s name is a combination of its Korean name “문서열람 인증 앱” (Document Viewing Authentication App) and a phishing page masquerading as CoinSwap at the C2 address. Based on DocSwap’s name and Korean-language strings, DocSwap potentially targets mobile device users in South Korea. Several variants of DocSwap exist; one of the latest samples indicates that the adversary added a native decryption function that decrypts an internal APK.[1][2]
Analyst context for executives and security teams
DocSwap matters because it is Android malware with a broad mobile collection and persistence profile: the ATT&CK relationships include discovery of apps, files, device/network/Wi-Fi details, collection of accounts, contacts, SMS and call logs, audio/video capture, location tracking, keylogging, accessibility abuse, and web-protocol command-and-control. For leaders, the practical issue is not only a compromised phone; it is the potential loss of identity data, communications, location context, and sensitive local files from mobile users. MITRE notes Korean-language strings and potential targeting of mobile users in South Korea, and attributes the malware to Kimsuky.
Executive priority
Treat DocSwap as a mobile security readiness test case: can the organization prove which Android devices are managed, what apps are installed, which apps hold high-risk permissions, and whether accessibility, microphone, camera, location, SMS, contacts, call, and account access are governed? Because MITRE provides no official detection guidance, priority should be on control validation and evidence: mobile device management coverage, app installation governance, permission review, mobile network visibility, and incident response procedures for collecting and containing Android evidence without losing business-critical communications.
Technical view
SOC and IR teams should validate Android-focused coverage against the related ATT&CK behaviors rather than relying on a single signature. Key checks include app inventory and package changes, suspicious accessibility service enablement, foreground service use for continued sensor access, broadcast receiver registration for persistence, native library or internal APK decryption behavior, sensitive permission requests, enumeration of installed apps/files/device/network/Wi-Fi information, access to SMS/contacts/call logs/accounts, audio/video/location use, and HTTP/HTTPS communications to external infrastructure. Detection engineering should account for legitimate Android apps that request similar permissions and should prioritize combinations of behaviors over isolated permission presence.
Likely telemetry
- Managed Android device inventory, app/package inventory, install source, version, and signing metadata
- Android application permission state and permission-change history for microphone, camera, location, SMS, contacts, call logs, phone, accounts, and accessibility
- Accessibility service enablement events and foreground service indicators
- Broadcast receiver, boot/event-triggered execution, and app persistence-related metadata where available
- Mobile threat defense or EDR telemetry for native code, embedded/decrypted APKs, file deletion, local file access, and app/process behavior
Detection direction
- Because MITRE does not provide official detection text, build detections from behavior clusters: high-risk permissions plus accessibility abuse, sensor access, local data access, discovery, persistence, and external web-protocol communications.
- Prioritize alerting on newly installed or uncommon Android apps that request multiple sensitive permissions and also register broadcast receivers or run foreground services.
- Tune for legitimate business apps that require camera, microphone, location, contacts, or SMS access; permission presence alone is a weak signal.
- Validate whether mobile telemetry can observe native code use, embedded/decrypted APK activity, and obfuscated files, since DocSwap variants are described as including native decryption of an internal APK.
- Use relationship context to hunt for collection breadth: accounts, SMS, contacts, call logs, local files, audio/video, and location together are more material than any single access pattern.
Mitigation priorities
- Ensure Android devices with business access are enrolled in managed mobile controls and maintain an auditable inventory of installed applications and permissions.
- Restrict or review installation of untrusted applications and require app vetting before access to corporate data or identity systems.
- Apply least-privilege permission governance for accessibility, microphone, camera, location, SMS, contacts, call logs, phone controls, and account access.
- Monitor and periodically review apps using accessibility services, foreground services, broadcast receivers, and sensitive content providers.
- Segment mobile access to business systems so compromise of a device does not automatically expose broad identity, communications, or cloud resources.
Analyst notes and limits
This take is based on ATT&CK S9005 DocSwap, its official description, external references, and listed uses of mobile ATT&CK techniques. The object is Android-specific, has no aliases, no specified tactics in the supplied fields, and no official MITRE detection text. MITRE states DocSwap was first identified in 2025, attributes it to Kimsuky, notes potential South Korea targeting based on name and Korean-language strings, and describes variants including a native decryption function for an internal APK.
Local exposure cannot be inferred from ATT&CK alone. Confirmation requires device inventory, app telemetry, permission data, network logs, and incident evidence from the organization’s Android estate. The supplied object does not provide indicators, package names, hashes, C2 values, detection logic, impact statements, or confirmed victimology beyond potential targeting context.
DocSwap
DocSwap is an Android malware first identified in 2025, and attributed to Kimsuky. DocSwap’s name is a combination of its Korean name “문서열람 인증 앱” (Document Viewing Authentication App) and a phishing page masquerading as CoinSwap at the C2 address. Based on DocSwap’s name and Korean-language strings, DocSwap potentially targets mobile device users in South Korea. Several variants of DocSwap exist; one of the latest samples indicates that the adversary added a native decryption function that decrypts an internal APK.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1406 | Obfuscated Files or Information | DocSwap has used an obfuscated APK file and Base64-encoded URLs and files.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1429 | Audio Capture | DocSwap has the ability to start and stop audio recording.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1417.001 | Keylogging Sub-technique | When an accessibility event occurs, DocSwap has used a keylogger to record the target application’s icon, package name, event text, and timestamp.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1426 | System Information Discovery | DocSwap has checked for the `LOCAL_MAC_ADDRESS` permission and has the ability to send system information.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1575 | Native API | DocSwap has decrypted the encrypted APK file security.dat using the `decryptFile` function in the `native-lib` library.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025 |
| Mobile | T1541 | Foreground Persistence | |
| Mobile | T1420 | File and Directory Discovery | DocSwap has checked for the `READ_EXTERNAL_STORAGE` and `MANAGE_EXTERNAL_STORAGE` permissions.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1636.004 | SMS Messages Sub-technique | |
| Mobile | T1422.002 | Wi-Fi Discovery Sub-technique | DocSwap has checked for the `ACCESS_WIFI_STATE` and `CHANGE_WIFI_STATE` permissions.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025 |
| Mobile | T1422 | System Network Configuration Discovery | DocSwap has checked for the `LOCAL_MAC_ADDRESS` and `READ_PRIVILEGED_PHONE_STATE` permissions.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025 |
| Mobile | T1512 | Video Capture | DocSwap has the ability to start and stop camera recording.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1627 | Execution Guardrails | |
| Mobile | T1636.003 | Contact List Sub-technique | DocSwap has requested for the `READ_CONTACTS` and `WRITE_CONTACTS` permissions and has the ability to send contact information.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1616 | Call Control | DocSwap has requested for the `CALL_PHONE` permission to make phone calls.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1636.002 | Call Log Sub-technique | DocSwap has requested for the `READ_CALL_LOG` and `WRITE_CALL_LOG` permissions and has the ability to send call logs.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1453 | Abuse Accessibility Features | Once accessibility permissions are granted, DocSwap has abused the Accessibility Service to execute a keylogging capability.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1544 | Ingress Tool Transfer | DocSwap has the ability to upload and download files via socket communication.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | DocSwap has registered the following intents to automatically execute MainService on device reboot: `android.intent.action.BOOT_COMPLETED`, `android.intent.action.ACTION_POWER_CONNECTED`, and `android.intent.action.ACTION_POWER_DISCONNECTED`.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1430 | Location Tracking | DocSwap has the ability to collect location information and to start/stop location information from being sent to the C2 server.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | DocSwap has masqueraded as a VPN application, using the same package name (` com.bycomsolutions.bycomvpn `) and having similar file structure, metadata and code routines as the legitimate application.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025 |
| Mobile | T1630.002 | File Deletion Sub-technique | DocSwap has the ability to delete files and directories.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1660 | Phishing | DocSwap has used phishing messages (smishing) and emails to gain initial access to devices.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025 |
| Mobile | T1636.005 | Accounts Sub-technique | DocSwap has the ability to send registered account information.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1437.001 | Web Protocols Sub-technique | DocSwap has sent a POST request to downcat.php while recording the access time and APK URL path.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025 |
| Mobile | T1533 | Data from Local System | DocSwap has checked for the `WRITE_EXTERNAL_STORAGE` permission.CitationEnkiWhiteHat_KimsukyDOCSWAP_Dec2025CitationS2W_DocSwap_Mar2025 |
| Mobile | T1646 | Exfiltration Over C2 Channel | DocSwap has used a hardcoded IP address and port for C2 and exfiltration over socket communication.CitationS2W_DocSwap_Mar2025 |
| Mobile | T1418 | Software Discovery | DocSwap has the ability to send installed application information, including application name, package name, installation timestamp, icon, and properties.CitationS2W_DocSwap_Mar2025 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 939dea167974… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
EnkiWhiteHat_KimsukyDOCSWAP_Dec2025
EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.
Open source URL -
[2]
S2W_DocSwap_Mar2025
Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.
Open source URL -
[3]
mitre-attack S9005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.