Not for the First Time: North Korean Hackers Used Fake Apps to Spread Spyware on Android

In a disturbing repeat of previous incidents, North Korean hackers have used fake apps to spread spyware on Android devices, highlighting the ongoing struggle between cyber security and state-sponsored threats.

The latest incident involved spyware dubbed KoSpy, which was uploaded to the Google Play Store by a group of hackers believed to be linked to the North Korean regime. Lookout Threat Lab researchers discovered the spyware, attributing it with medium confidence to North Korean APT group ScarCruft, also known as APT37.

The spyware was hidden in the type of fake apps that often slip past Google's checks: file managers, software update utilities, and security software. KoSpy is able to pilfer an extensive amount of sensitive information from devices it infects, including SMS messages, call logs, device location, access to files and folders on local storage, Wi-Fi network details, and a list of installed applications.

The spyware takes its sinister actions a step further by recording and taking photos with a device's cameras, capturing screenshots or recording the screen while in use, and recording keystrokes by abusing accessibility. The collected data is sent to Command and Control (C2) servers after being encrypted with a hardcoded AES key.

KoSpy also leveraged Firebase Firestore, Google's cloud-hosted database, to receive initial configuration data. At least one of the infected apps made it onto the Google Play Store and was publicly available for a while, with over 10 downloads cached from the listing page. Some malicious apps were also found on third-party app store APKPure.

The goals of this campaign beyond information gathering are unknown, but researchers suggest that the spyware app was likely targeting specific individuals, probably those in South Korea who speak English or Korean. This level of specificity suggests a high degree of sophistication and targeted effort from the hackers.

Google spokesperson Ed Fernandez confirmed that Lookout shared its report with the company, and all of the identified apps have now been removed from the Play Store. The Firebase projects have also been deactivated.

This incident is part of a larger pattern of North Korean state-sponsored hacking operations, which have shown no signs of slowing down. Last month, Dubai-based crypto exchange Bybit was targeted in a heist perpetrated by notorious state-sponsored North Korean hacking crew Lazarus Group, with $1.5 billion in digital assets stolen.

The ongoing threat from these hackers serves as a reminder that cyber security is an ongoing battle, and the importance of vigilance and awareness cannot be overstated. As new threats emerge, it is crucial for individuals to stay informed and take steps to protect themselves against state-sponsored espionage.