A recent report from cybersecurity firm Lookout reveals a concerning espionage campaign linked to North Korean hackers, who have successfully uploaded Android spyware onto the Google Play app store. This malware, dubbed KoSpy, has reportedly tricked some users into downloading it, raising alarms about the growing sophistication of cyber threats.
Details of the Spyware Campaign
Lookout’s findings, shared exclusively with TechCrunch, indicate that at least one variant of KoSpy was available on Google Play and had been downloaded over ten times, as evidenced by a cached snapshot of the app’s page. The report includes a screenshot showcasing the app, which masqueraded as a file manager.
While North Korean hackers have garnered attention for audacious cryptocurrency heists, such as the recent theft of approximately .4 billion in Ethereum from the crypto exchange Bybit, this latest operation appears to focus on surveillance rather than financial gain. The functionality of the spyware suggests a targeted approach, likely aimed at specific individuals rather than a broad audience.
Christoph Hebeisen, Lookout’s director of security intelligence research, noted that the limited number of downloads indicates a focus on particular targets. The exact objectives of this spyware campaign remain unclear, but the extensive data collection capabilities of KoSpy are alarming. The spyware can gather:
- SMS text messages
- Call logs
- Device location data
- Files and folders on the device
- User-entered keystrokes
- Wi-Fi network details
- A list of installed apps
- Audio recordings
- Images via the phone’s cameras
- Screenshots of the active display
Notably, KoSpy utilizes Firestore, a cloud database built on Google Cloud infrastructure, to retrieve its initial configurations, further complicating the security landscape.
In response to Lookout’s report, Google confirmed that the identified apps were promptly removed from the Play Store and that Firebase projects associated with them were deactivated. Ed Fernandez, a spokesperson for Google, emphasized that Google Play Services automatically protects users from known malware versions on Android devices.
However, Google refrained from commenting on specific inquiries regarding the attribution of the malware to the North Korean regime or other details outlined in Lookout’s findings.
Broader Implications and Targeting
Lookout also discovered instances of the spyware on third-party app store APKPure, although a spokesperson for APKPure stated that they had not received any communication from Lookout regarding these findings. The developer behind the spyware app did not respond to requests for comment from TechCrunch.
According to Lookout’s researchers, including Alemdar Islamoglu, the campaign appears to be highly targeted, likely focusing on individuals in South Korea who speak either English or Korean. This assessment is supported by the presence of Korean language titles and user interfaces in some of the identified apps.
Furthermore, the spyware apps were found to utilize domain names and IP addresses previously linked to malware and command-and-control infrastructure associated with North Korean hacking groups APT37 and APT43. Hebeisen remarked on the intriguing capability of North Korean threat actors to infiltrate official app stores, highlighting a significant challenge in cybersecurity.
