Malware KoSpy Targets Android Users in Espionage Campaign
In a recent revelation, researchers from the mobile and cloud security firm Lookout have identified a sophisticated malware strain named KoSpy, believed to be linked to North Korean state-sponsored hackers. This malware specifically targets Android devices, aiming to surveil both Korean and English-speaking users.
Lookout has classified KoSpy as the work of an advanced persistent threat group known as ScarCruft, or APT37. The malware has been discovered on the Google Play Store as well as various third-party app stores, embedded within seemingly innocuous utility applications such as File Manager, Software Update Utility, and Kakao Security. The malware’s capabilities are alarming; it can harvest a wide array of sensitive information, including call logs, text messages, files, audio recordings, screenshots, and user location data.
In response to these findings, Google has proactively removed all identified infected applications from its platform. A spokesperson for Google confirmed that the latest iteration of the malware was taken down before any installations could occur. They emphasized the effectiveness of Google Play Protect, which automatically safeguards Android users against known malware variants, even when apps originate from outside the Google Play ecosystem.
KoSpy first emerged in March 2022, with new samples surfacing as recently as last year. Lookout noted that over half of the applications associated with KoSpy feature titles in Korean, and the user interface is designed to support both English and Korean languages. The app dynamically adjusts its language settings based on the device’s language preference, displaying messages and text fields in Korean when set to that language, and in English otherwise.
Interestingly, KoSpy seems to share infrastructure with another North Korean hacking group known as Kimsuky, or APT43, which has been implicated in a series of spearphishing attacks aimed at stealing sensitive information through a campaign dubbed forceCopy. ScarCruft, the group behind KoSpy, has been active since 2012, primarily focusing on South Korean targets but also extending its reach to users in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and several Middle Eastern nations.
In January, ScarCruft was linked to an espionage campaign that targeted media organizations and prominent academics. More recently, in October, researchers connected the group to a malware operation in Southeast Asia, further underscoring the persistent threat posed by these state-sponsored cyber actors.
Editor’s Note: Story updated 1:40 p.m. Eastern time with statement from Google.
