A North Korean APT actor has been targeting Korean and English-speaking users with an Android surveillance tool distributed via Google Play, cybersecurity firm Lookout warns.
Dubbed KoSpy, the spyware has been in use since March 2022, posing as utility applications to infect unsuspecting users, and abusing Google Play and the Firebase Firestore for app distribution and configuration retrieval.
The surveillance tool has been attributed to the North Korean APT ScarCruft, also known as APT37, which has been active since 2012, targeting mainly entities in South Korea, along with China, India, Japan, Kuwait, Nepal, Romania, Russia, Vietnam, and Middle Eastern countries.
KoSpy has been observed masquerading as five applications: a phone manager, file manager, smart manager, software update utility, and a fake security application.
After the lure application has been installed, KoSpy fetches from Firebase Firestore configuration data that allows threat actors to enable and disable the spyware and change its command-and-control (C&C) server at any time.
Next, the malware checks whether the victim device is an emulator, and whether the current date is past the hardcoded activation date.
KoSpy can collect SMS messages, call logs, and device location, can capture screenshots, record audio using the phone’s microphone, take photos, access files and folders on the device, record keystrokes, collect Wi-Fi network information, and compile a list of installed applications.
The collected data is encrypted before being sent to a remote server, and Lookout identified five Firebase projects and C&C servers employed by the malware.
“Lookout researchers assess that this KoSpy campaign was targeted at Korean and English-speaking users. More than half of the apps have Korean language titles and the UI supports two languages: English and Korean,” the cybersecurity firm says.
Some of the KoSpy applications were found in Google Play and in the third-party app store Apkpure. All the identified applications were removed from Google Play and the Firebase projects were also removed.
Lookout attributes – with moderate confidence – KoSpy to ScarCruft, noting that APT43, a North Korean hacking group also known as Kimsuky and Thallium, appears to have employed it as well.
“The use of regional language suggests this was intended as targeted malware. Before any user installations, the latest malware sample discovered in March 2024 was removed from Google Play. Google Play Protect automatically protects Android users from known versions of this malware on devices with Google Play Services, even when apps come from sources outside of Play,” a Google spokesperson told SecurityWeek.
*Updated with statement from Google.
Related: North Korean APT Exploited IE Zero-Day in Supply Chain Attack
Related: US Says North Korean Hackers Exploiting Weak DMARC Settings
Related: North Korean Hackers Targeted Russian Missile Developer
Related: US Sanctions North Korean Cyberespionage Group Kimsuky
