Korea’s popular digital wallet Payco hit by signature key hijacking

The signature key of South Korea’s popular payment app Payco with more than 10 million downloads has been leaked, raising serious cyber security concerns about personal information outflow and fake installation of malicious apps.

According to multiple sources from the financial industry on Monday, security solution firm Everspin Co. sent out an emergency notice to 30 of its Korean clients, including KB Kookmin Bank, NH Nonghyup Bank, and KakaoBank, to warn that 5,144 malicious apps have been installed across Payco users’ devices with the digital wallet’s stollen certification key between Aug. 1 and Nov. 30

It warned of numerous financial accidents related to signature key management and voice phishing.

NHN headquarters [Courtesy of NHN]

Payco - managed by NHN Payco Corp. - was aware of the leak on Aug. 10 but had not informed its clients until media report by Maeil Business Newspaper. Payco said it had not made the signature key leak public because it has not found any attack on the Payco app itself.

The app certified with the Payco signature key does not need a security check as it is recognized as a legit app made by Payco. This means any voice phishing app with the same signature value as with Payco app can be installed easily at any device as a certified app, according to Everspin.

The Everspin found out that 18 apps including Hangame OTP, Fortune Monastery Today, and Ticketlink use the same signature key with Payco, suggesting the certification key leak.

Everspin suspected that the leak could have been caused by either Google Play store account leak, manager PC hacking, or inattentiveness by other managers.

“Google account leakage or management PC hacking could lead to bigger damage such as financial information leak because a hacker can switch Google Play store app,” said an unnamed official from Everspin. “It is a very serious cybersecurity issue.”

Payco will carry out an app update using a new signature key this week, said an unnamed official from Payco.

“We are devising measures to invalidate malicious app operation.”