Malware continues to find its way past Google’s security measures, a recurring issue that has recently resurfaced with the emergence of a new spyware variant. This latest threat, identified as KoSpy, has been linked to a group of hackers believed to have ties to the North Korean regime.
Details of the Discovery
Researchers at Lookout Threat Lab uncovered KoSpy, attributing it with medium confidence to the North Korean APT group known as ScarCruft, or APT37. The spyware was cleverly concealed within a range of deceptive applications, including file managers, software update utilities, and security software—common disguises for malicious software.
Once installed, KoSpy is capable of extracting a wealth of sensitive information from infected devices. This includes:
- SMS messages
- Call logs
- Device location
- Access to files and folders on local storage
- Wi-Fi network details
- A list of installed applications
Moreover, the spyware can engage in more intrusive activities, such as:
- Recording and taking photos using the device’s cameras
- Capturing screenshots or recording the screen during use
- Logging keystrokes by exploiting accessibility features
Lookout further elaborates that the data collected by KoSpy is transmitted to Command and Control (C2) servers, encrypted with a hardcoded AES key. Notably, the spyware also utilized Firebase Firestore, Google’s cloud-hosted database, to obtain initial configuration data.
Impact on the Google Play Store
At least one of the malicious applications associated with KoSpy managed to infiltrate the Google Play Store, remaining publicly accessible for a period. A cached snapshot of the Play Store listing for the File Manager app indicates it was downloaded over ten times.
In addition to its presence on the Play Store, some of these harmful applications were also discovered on third-party app store APKPure. The specific objectives of this campaign remain unclear; however, Christoph Hebeisen, Lookout’s director of security intelligence research, noted that the relatively low download numbers suggest the spyware may have been aimed at particular individuals, likely targeting those in South Korea who speak either English or Korean.
In response to the report from Lookout, Google spokesperson Ed Fernandez confirmed that all identified applications have been removed from the Play Store, and the associated Firebase projects have been deactivated.
This incident follows a significant breach last month involving Dubai-based crypto exchange Bybit, which was targeted by the infamous North Korean hacking group Lazarus. The heist resulted in the theft of .5 billion in digital assets, marking it as the largest crypto heist in history.
