S9005: DocSwap

DocSwap matters because it is Android malware with a broad mobile collection and persistence profile: the ATT&CK relationships include discovery of apps, files, device/network/Wi-Fi details, collection of accounts, contacts, SMS and call logs, audio/video capture, location tracking, keylogging, accessibility abuse, and web-protocol command-and-control. For leaders, the practical issue is not only a compromised phone; it is the potential loss of identity data, communications, location context, and sensitive local files from mobile users. MITRE notes Korean-language strings and potential targeting of mobile users in South Korea, and attributes the malware to Kimsuky.

Executive priority

Treat DocSwap as a mobile security readiness test case: can the organization prove which Android devices are managed, what apps are installed, which apps hold high-risk permissions, and whether accessibility, microphone, camera, location, SMS, contacts, call, and account access are governed? Because MITRE provides no official detection guidance, priority should be on control validation and evidence: mobile device management coverage, app installation governance, permission review, mobile network visibility, and incident response procedures for collecting and containing Android evidence without losing business-critical communications.

Technical view

SOC and IR teams should validate Android-focused coverage against the related ATT&CK behaviors rather than relying on a single signature. Key checks include app inventory and package changes, suspicious accessibility service enablement, foreground service use for continued sensor access, broadcast receiver registration for persistence, native library or internal APK decryption behavior, sensitive permission requests, enumeration of installed apps/files/device/network/Wi-Fi information, access to SMS/contacts/call logs/accounts, audio/video/location use, and HTTP/HTTPS communications to external infrastructure. Detection engineering should account for legitimate Android apps that request similar permissions and should prioritize combinations of behaviors over isolated permission presence.

Likely telemetry

Managed Android device inventory, app/package inventory, install source, version, and signing metadata
Android application permission state and permission-change history for microphone, camera, location, SMS, contacts, call logs, phone, accounts, and accessibility
Accessibility service enablement events and foreground service indicators
Broadcast receiver, boot/event-triggered execution, and app persistence-related metadata where available
Mobile threat defense or EDR telemetry for native code, embedded/decrypted APKs, file deletion, local file access, and app/process behavior

Detection direction

Because MITRE does not provide official detection text, build detections from behavior clusters: high-risk permissions plus accessibility abuse, sensor access, local data access, discovery, persistence, and external web-protocol communications.
Prioritize alerting on newly installed or uncommon Android apps that request multiple sensitive permissions and also register broadcast receivers or run foreground services.
Tune for legitimate business apps that require camera, microphone, location, contacts, or SMS access; permission presence alone is a weak signal.
Validate whether mobile telemetry can observe native code use, embedded/decrypted APK activity, and obfuscated files, since DocSwap variants are described as including native decryption of an internal APK.
Use relationship context to hunt for collection breadth: accounts, SMS, contacts, call logs, local files, audio/video, and location together are more material than any single access pattern.

Mitigation priorities

Ensure Android devices with business access are enrolled in managed mobile controls and maintain an auditable inventory of installed applications and permissions.
Restrict or review installation of untrusted applications and require app vetting before access to corporate data or identity systems.
Apply least-privilege permission governance for accessibility, microphone, camera, location, SMS, contacts, call logs, phone controls, and account access.
Monitor and periodically review apps using accessibility services, foreground services, broadcast receivers, and sensitive content providers.
Segment mobile access to business systems so compromise of a device does not automatically expose broad identity, communications, or cloud resources.

Analyst notes and limits

This take is based on ATT&CK S9005 DocSwap, its official description, external references, and listed uses of mobile ATT&CK techniques. The object is Android-specific, has no aliases, no specified tactics in the supplied fields, and no official MITRE detection text. MITRE states DocSwap was first identified in 2025, attributes it to Kimsuky, notes potential South Korea targeting based on name and Korean-language strings, and describes variants including a native decryption function for an internal APK.

Local exposure cannot be inferred from ATT&CK alone. Confirmation requires device inventory, app telemetry, permission data, network logs, and incident evidence from the organization’s Android estate. The supplied object does not provide indicators, package names, hashes, C2 values, detection logic, impact statements, or confirmed victimology beyond potential targeting context.

Official MITRE ATT&CK definition

DocSwap

DocSwap is an Android malware first identified in 2025, and attributed to Kimsuky. DocSwap’s name is a combination of its Korean name “문서열람 인증 앱” (Document Viewing Authentication App) and a phishing page masquerading as CoinSwap at the C2 address. Based on DocSwap’s name and Korean-language strings, DocSwap potentially targets mobile device users in South Korea. Several variants of DocSwap exist; one of the latest samples indicates that the adversary added a native decryption function that decrypts an internal APK.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 27 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1406	Obfuscated Files or Information	DocSwap has used an obfuscated APK file and Base64-encoded URLs and files.[1][2]
Mobile	T1429	Audio Capture	DocSwap has the ability to start and stop audio recording.[1][2]
Mobile	T1417.001	Keylogging Sub-technique	When an accessibility event occurs, DocSwap has used a keylogger to record the target application’s icon, package name, event text, and timestamp.[1][2]
Mobile	T1426	System Information Discovery	DocSwap has checked for the `LOCAL_MAC_ADDRESS` permission and has the ability to send system information.[1][2]
Mobile	T1575	Native API	DocSwap has decrypted the encrypted APK file security.dat using the `decryptFile` function in the `native-lib` library.[1]
Mobile	T1541	Foreground Persistence	DocSwap has checked for the `FOREGROUND_SERVICE` permission.[1] DocSwap has also used the StartForeground API to generate a notification saying “Tap to view more details or stop the app” in Korean and to maintain persistence.[2]
Mobile	T1420	File and Directory Discovery	DocSwap has checked for the `READ_EXTERNAL_STORAGE` and `MANAGE_EXTERNAL_STORAGE` permissions.[1][2]
Mobile	T1636.004	SMS Messages Sub-technique	DocSwap has checked for the `READ_SMS` and `RECEIVE_SMS` permissions.[1][2] DocSwap also has the ability to send SMS information, including the sender or receiver, the message content, and the timestamp.[2]
Mobile	T1422.002	Wi-Fi Discovery Sub-technique	DocSwap has checked for the `ACCESS_WIFI_STATE` and `CHANGE_WIFI_STATE` permissions.[1]
Mobile	T1422	System Network Configuration Discovery	DocSwap has checked for the `LOCAL_MAC_ADDRESS` and `READ_PRIVILEGED_PHONE_STATE` permissions.[1]
Mobile	T1512	Video Capture	DocSwap has the ability to start and stop camera recording.[1][2]
Mobile	T1627	Execution Guardrails	DocSwap has checked if the victim has accessed the malicious URL from a PC. If so, DocSwap redirected the victim to scan the malicious QR code using a mobile device.[1]
Mobile	T1636.003	Contact List Sub-technique	DocSwap has requested for the `READ_CONTACTS` and `WRITE_CONTACTS` permissions and has the ability to send contact information.[1][2]
Mobile	T1616	Call Control	DocSwap has requested for the `CALL_PHONE` permission to make phone calls.[1][2]
Mobile	T1636.002	Call Log Sub-technique	DocSwap has requested for the `READ_CALL_LOG` and `WRITE_CALL_LOG` permissions and has the ability to send call logs.[1][2]
Mobile	T1453	Abuse Accessibility Features	Once accessibility permissions are granted, DocSwap has abused the Accessibility Service to execute a keylogging capability.[1][2]
Mobile	T1544	Ingress Tool Transfer	DocSwap has the ability to upload and download files via socket communication.[1][2]
Mobile	T1624.001	Broadcast Receivers Sub-technique	DocSwap has registered the following intents to automatically execute MainService on device reboot: `android.intent.action.BOOT_COMPLETED`, `android.intent.action.ACTION_POWER_CONNECTED`, and `android.intent.action.ACTION_POWER_DISCONNECTED`.[1][2]
Mobile	T1430	Location Tracking	DocSwap has the ability to collect location information and to start/stop location information from being sent to the C2 server.[1][2]
Mobile	T1655.001	Match Legitimate Name or Location Sub-technique	DocSwap has masqueraded as a VPN application, using the same package name (` com.bycomsolutions.bycomvpn `) and having similar file structure, metadata and code routines as the legitimate application.[1]
Mobile	T1630.002	File Deletion Sub-technique	DocSwap has the ability to delete files and directories.[1][2]
Mobile	T1660	Phishing	DocSwap has used phishing messages (smishing) and emails to gain initial access to devices.[1]
Mobile	T1636.005	Accounts Sub-technique	DocSwap has the ability to send registered account information.[1][2]
Mobile	T1437.001	Web Protocols Sub-technique	DocSwap has sent a POST request to downcat.php while recording the access time and APK URL path.[1]
Mobile	T1533	Data from Local System	DocSwap has checked for the `WRITE_EXTERNAL_STORAGE` permission.[1][2]
Mobile	T1646	Exfiltration Over C2 Channel	DocSwap has used a hardcoded IP address and port for C2 and exfiltration over socket communication.[2]
Mobile	T1418	Software Discovery	DocSwap has the ability to send installed application information, including application name, package name, installation timestamp, icon, and properties.[2]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Feb 16, 2026, 15:40 UTC (UTC+00:00)
Modified: Apr 23, 2026, 02:05 UTC (UTC+00:00)
Raw hash: 939dea167974769f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 23, 2026, 02:05 UTC (UTC+00:00)	Current bundle	`939dea167974…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
EnkiWhiteHat_KimsukyDOCSWAP_Dec2025

EnkiWhiteHat. (2025, December 16). Kimsuky Distributing Malicious Mobile App via QR Code. Retrieved January 8, 2026.
Open source URL
[2]
S2W_DocSwap_Mar2025

Kim, H., S2W TALON. (2025, March 13). Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer. Retrieved January 12, 2026.
Open source URL
[3]
mitre-attack S9005
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams