North Korea-linked APT group ScarCruft spotted using new Android spyware KoSpy
Researchers from Lookout have uncovered a new Android surveillance tool dubbed KoSpy, which is being used by the North Korea-linked APT group ScarCruft to target Korean and English-speaking users. The discovery marks another addition to ScarCruft's arsenal of malicious tools, following their previous exploits in 2018 and beyond.
ScarCruft, also known as APT37, Reaper, and Group123, has been active since at least 2012, with notable incidents including the exploitation of a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users in February 2018. Kaspersky first documented the group's operations in 2016, highlighting their focus on government, defense, military, and media organizations in South Korea.
The latest KoSpy campaign is attributed to ScarCruft with medium confidence by Lookout researchers, who observed that the spyware has been used to infect devices via fake utility application lures such as "File Manager", "Software Update Utility" and "Kakao Security". The apps mentioned in the report have been removed from Google Play, and the associated Firebase projects have been deactivated by Google.
KoSpy collects a range of sensitive data including SMS, calls, location, files, audio, and screenshots via plugins. However, it masquerades as legitimate utility apps with basic functions, except for Kakao Security, which tricks users with a fake permission request. The spyware also employs a unique IT for each victim that is calculated through a hardware fingerprint.
Lookout researchers have noticed connections between KoSpy and North Korean threat groups APT43 and APT37, with one C2 domain linking to an IP address in South Korea previously associated with malicious Korea-related domains. These include naverfiles[.]com and mailcorp[.]center, linked to Konni malware used by APT37, and nidlogon[.]com, part of APT43's infrastructure.
The shared infrastructure suggests that KoSpy may be part of broader cyber-espionage operations targeting Korean users. However, the researchers note that North Korean threat actors are known to have overlapping infrastructure, targeting and TTPs which makes attribution to a specific actor more difficult. "Based on the aforementioned shared infrastructure, common targeting and connection recency, Lookout researchers attribute this KoSpy activity to APT37 with medium confidence."
Technical Details of KoSpy
The spyware uses a unique encryption method for each victim, which is calculated through a hardware fingerprint. It transmits the encrypted data via AES to multiple Firebase projects and C2 servers for further exploitation.
KoSpy communicates with its C2 servers through two request types: one for downloading plugins and another for retrieving surveillance configurations. The configuration request, sent as an encrypted JSON, controls parameters like C2 ping frequency, plugin URLs, and victim messages.
The spyware also employs a hardcoded activation date to avoid analysis and detection, and checks if it is running in a virtualized environment before activation.
Conclusion
The discovery of KoSpy highlights the evolving threat landscape in the Android ecosystem. As cybersecurity threats continue to evolve, it's essential for users to remain vigilant and stay informed about the latest developments in malware and APT group activities.
FOLLOW ME ON TWITTER: @securityaffairs AND FACEBOOK AND MASTODON