Lookout experts have discovered a new spyware for Android called KoSpy. The malware is linked to North Korean hackers and was found in the official Google Play store and the third-party APKPure store as part of at least five apps.
According to researchers, the spyware is associated with the North Korean group APT37 (aka ScarCruft). The campaign using this malware has been active since March 2022, and judging by the malware samples, the hackers are actively improving their development.
The spyware campaign mainly targets Korean and English-speaking users. KoSpy disguises itself as file managers, security tools, and updates for various software.
In total, Lookout experts discovered five applications: 휴대폰 관리자 (Phone Manager), File Manager (com.file.exploer), 스마트 관리자 (Smart Manager), 카카오 보안 (Kakao Security) and Software Update Utility.
Almost all malicious apps actually provide at least some of the promised features, but they also download KoSpy in the background. The only exception is Kakao Security. This app only shows a fake system window, asking for access to dangerous permissions.
Researchers attribute the campaign to APT37 based on IP addresses previously associated with North Korean hacker operations, domains used to distribute the Konni malware, and infrastructure that overlaps with another North Korean hacking group, APT43.
Once activated on a device, KoSpy retrieves an encrypted configuration file from the Firebase Firestore database to avoid detection.
The malware then connects to the command and control server and checks whether it is running in the emulator. The malware can receive updated settings from the attackers' server, additional payloads to execute, and can also be dynamically activated or deactivated using a special switch.
KoSpy is mainly focused on data collection, its capabilities are as follows:
- interception of SMS and call logs;
- Real-time GPS tracking of the victim's location;
- reading and retrieving files from local storage;
- using the device's microphone to record sound;
- using the device's camera to take photos and videos;
- creating screenshots of the device screen;
- Intercept keystrokes using Android Accessibility Services.
Each app uses a separate Firebase project and server to “drain” data, which is encrypted with a hard-coded AES key before transmission.
While the malicious apps have now been removed from Google Play and APKPure, the researchers warn that users will have to manually remove the malware from their devices, as well as scan their gadgets with security tools to get rid of any remaining infection. In some cases, a factory reset may be necessary.
"The use of regional language [in the app names] indicates that this was targeted malware. The latest malware sample, discovered in March 2024, was removed from Google Play before it could be installed by users," Google representatives told the media