A new Android spyware, known as KoSpy, has been linked to North Korean threat actors who have successfully infiltrated both Google Play and the third-party app store APKPure through a series of malicious applications. Researchers from Lookout have attributed this spyware to the notorious North Korean threat group APT37, also referred to as ScarCruft. The campaign has been ongoing since March 2022, with the threat actors continuously refining the malware based on newly discovered samples.
The primary targets of this spyware campaign are Korean and English-speaking users, with the malicious apps cleverly disguised as file managers, security tools, and software updaters. Lookout has identified five specific applications involved in this operation:
- 휴대폰 관리자 (Phone Manager)
- File Manager (com.file.exploer)
- 스마트 관리자 (Smart Manager)
- 카카오 보안 (Kakao Security)
- Software Update Utility
Source: Lookout
While these malicious applications may offer some of the functionalities they promise, they simultaneously load the KoSpy spyware in the background. An exception is the Kakao Security app, which merely displays a deceptive system window while soliciting access to potentially harmful permissions.
Source: Lookout
The attribution of this campaign to APT37 stems from various indicators, including IP addresses historically associated with North Korean operations, domains that have facilitated the distribution of Konni malware, and shared infrastructure with APT43, another threat group sponsored by the DPRK.
KoSpy details
Once installed on a device, KoSpy retrieves an encrypted configuration file from a Firebase Firestore database, allowing it to evade detection. It then connects to its command and control (C2) server, performing checks to ensure it is not operating within an emulator. This malware is capable of retrieving updated settings from the C2, executing additional payloads, and can be dynamically activated or deactivated via an “on/off” switch.
The data collection capabilities of KoSpy are extensive, including:
- Interception of SMS and call logs
- Real-time tracking of the victim’s GPS location
- Reading and exfiltrating files from local storage
- Using the device’s microphone for audio recording
- Utilizing the device’s camera to capture photos and videos
- Taking screenshots of the device display
- Recording keystrokes through Android Accessibility Services
Each application operates with a distinct Firebase project and C2 server for data exfiltration, with the data encrypted using a hardcoded AES key prior to transmission.
Although the spyware apps have been removed from both Google Play and APKPure, users are advised to manually uninstall them and utilize security tools to eliminate any remnants of the infection from their devices. In severe cases, a factory reset may be necessary.
Google Play Protect has the capability to block known malicious apps, making it essential for users to enable this feature on their up-to-date Android devices to safeguard against KoSpy. A spokesperson from Google confirmed to BleepingComputer that all identified KoSpy applications have been removed from Google Play, and the associated Firebase projects have also been dismantled.
“The use of regional language suggests this was intended as targeted malware. Before any user installations, the latest malware sample discovered in March 2024 was removed from Google Play,” Google stated to BleepingComputer. “Google Play Protect automatically protects Android users from known versions of this malware on devices with Google Play Services, even when apps come from sources outside of Play.”
