North Korean Government Hackers Snuck Spyware onto Android App Store
In a shocking revelation, cybersecurity firm Lookout has uncovered an espionage campaign involving a spyware app called KoSpy, which was uploaded to the Google Play app store by hackers linked to the North Korean regime. The report, exclusively shared with TechCrunch ahead of time, details how the KoSpy spyware was able to trick users into downloading it, and its potential targets.
According to Lookout's director of security intelligence research, Christoph Hebeisen, the spyware campaign is likely a surveillance operation, given the functionality of the KoSpy apps identified by the company. The goals of the North Korean spyware campaign are not yet known, but Hebeisen told TechCrunch that with only a few downloads, the spyware app was likely targeting specific people.
The KoSpy spyware collects an extensive amount of sensitive information, including SMS text messages, call logs, device location data, files and folders on the device, user-entered keystrokes, Wi-Fi network details, and a list of installed apps. It can also record audio, take pictures with the phone's cameras, and capture screenshots of the screen in use.
A Targeted Campaign
Lookout found that KoSpy relied on Firestore, a cloud database built on Google Cloud infrastructure to retrieve "initial configurations." This suggests that the spyware was designed to be highly targeted, with specific individuals or groups as its intended targets.
According to Hebeisen and Alemdar Islamoglu, a senior staff security intelligence researcher at Lookout, while they don't have any information about who specifically may have been targeted – hacked, effectively – the company is confident that this was a highly targeted campaign, most likely going after people in South Korea, who speak English or Korean.
A Path to Infiltration
The KoSpy spyware was able to infiltrate the Google Play app store and gain visibility to thousands of users. At least one of the spyware apps was downloaded over 10 times, according to a cached snapshot of the app's page on the official Android app store.
A Familiar Pattern
This latest cyber attack is part of a larger pattern of North Korean hackers using the Google Play app store to infiltrate devices. In recent years, the country has made headlines for its daring crypto heists and sophisticated hacking operations.
The use of KoSpy spyware by North Korean government hackers highlights the ongoing threat posed by state-sponsored actors in the cyber world. As Hebeisen noted, "the thing that is fascinating about the North Korean threat actors is that they are, it seems, somewhat frequently successful in getting apps into official app stores."
A Response from Google
Google spokesperson Ed Fernandez told TechCrunch that Lookout shared its report with the company, and "all of the identified apps were removed from Play" and Firebase projects were deactivated. Additionally, Google Play automatically protects users from known versions of this malware on Android devices with Google Play Services.
Contact Us
If you have more information about KoSpy or other spyware, please contact us through our SecureDrop channel or send an email to [your email address]. We are committed to providing accurate and reliable information about cybersecurity threats.