Suspected North Korean Hackers Infiltrate Google Play With 'KoSpy' Spyware

Suspected North Korean Hackers Infiltrate Google Play With 'KoSpy' Spyware

Newly discovered spyware, possibly from a North Korean hacking group, was found circulating on the Google Play Store. The spyware programs, dubbed "KoSpy," were masquerading as utility apps designed to appear legitimate and trustworthy to unsuspecting Android users.

But once installed, these malicious apps secretly collected a wide range of data from devices, including SMS messages and screenshots, according to cybersecurity vendor Lookout Mobile Security. The malicious programs targeted apps that are in Korean and English, suggesting they were intended for specific regions or countries.

The Link to North Korean Hacking Groups

Lookout says it has "medium confidence" that KoSpy is linked to North Korean hacking groups such as APT37/ScarCruft, which has often focused on cyber espionage. The group's tactics and techniques are known to be sophisticated and complex, making attribution more difficult.

The App's Disguise

The spyware infiltrated Google Play as an app called "File Manager - Android." Despite only attracting about 10 downloads, the app was removed by Google soon after. A Google spokesperson revealed that the use of regional language suggests this was intended as targeted malware.

How KoSpy Works

The malicious apps usually feature a basic interface that can access an Android phone's internal settings. In others, they merely display a dummy system window asking for device permissions. Once installed, the spyware secretly communicates with a hacker-controlled server before downloading various plugins designed to snoop on and collect data from the Android device.

Language Support

The spyware can configure itself to display messages to the user in Korean or English, further suggesting that it was targeted at specific regions or countries.

A Brief History of KoSpy

The spyware dates back to at least March 2022, but the most recently recovered sample was collected in March 2024. The command and control servers for the spyware were also found to be inactive, so it is unclear whether KoSpy is retired or still active.

Attribution and Removal

Lookout attributed KoSpy to APT37 since one of the domains that the spyware reaches out to resolves to an IP address in South Korea that's been associated with hacking activities from APT37 and another North Korean hacking group, APT43. Google confirms that all of the apps identified were removed from Google Play. Their Firebase projects were also taken down.

"North Korean threat actors are known to have overlapping infrastructure, targeting, and TTPs (tactics, techniques, and procedures), which makes attribution to a specific actor more difficult," Lookout says.