Recent investigations have unveiled a troubling trend in the realm of mobile applications, particularly those designed for Android devices. Researchers from Lookout, a prominent security firm, have identified several applications that, despite passing Google Play’s security checks, have been covertly uploading sensitive user data to operatives affiliated with the North Korean government.
The malware, dubbed KoSpy, cleverly disguises itself as various utility applications aimed at enhancing user experience. These include tools for managing files, performing app or operating system updates, and ensuring device security. However, beneath their benign interfaces lies a more sinister purpose: the ability to harvest a wide array of personal information. This includes SMS messages, call logs, location data, files, ambient audio, and even screenshots, all of which are transmitted to servers controlled by North Korean intelligence.
Think twice before installing
The surveillance software has been found masquerading under five distinct app names:
- 휴대폰 관리자 (Phone Manager)
- File Manager
- 스마트 관리자 (Smart Manager)
- 카카오 보안 (Kakao Security)
- Software Update Utility
In addition to being available on Google Play, these applications have also surfaced in third-party markets such as Apkpure. An example of one such app’s listing on Google Play reveals a developer email address of mlyqwl@gmail.com, with a privacy policy hosted at this link.
The privacy policy claims, “I value your trust in providing us your Personal Information, thus we are striving to use commercially acceptable means of protecting it.” However, it also cautions that “no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and I cannot guarantee its absolute security.” This statement raises significant concerns about the actual safety of user data.
While the privacy policy appeared to be benign at the time of reporting, it is worth noting that the IP addresses linked to the command-and-control servers associated with these apps have been previously connected to domains known to facilitate North Korean espionage activities since at least 2019. This connection underscores the importance of vigilance when downloading applications, particularly those that may seem innocuous at first glance.
