A recent cybersecurity study has unveiled a new Android spyware known as 'KoSpy', which is linked to North Korean threat actors. This malicious software has reportedly infiltrated both Google Play and the third-party app store APKPure, disguising itself within at least five harmful applications. According to researchers at Lookout, this spyware is attributed to the North Korean threat group APT37, also referred to as 'ScarCruft'.
The KoSpy campaign has been active since March 2022, with threat actors continually developing the malware based on more recent samples. This spyware primarily targets Korean and English-speaking users, masquerading as legitimate applications such as file managers, security tools, and software updaters. The five identified malicious apps include:
휴대폰 관리자 (Phone Manager) File Manager (com.file.exploer) 스마트 관리자 (Smart Manager) 카카오 보안 (Kakao Security) Software Update UtilityWhile these applications may provide some legitimate functionality, they secretly load the KoSpy spyware in the background. Notably, the Kakao Security app is an exception, as it merely presents a fake system window while requesting dangerous permissions.
The attribution of this campaign to APT37 stems from various indicators, including IP addresses previously associated with North Korean operations and domains linked to the distribution of Konni malware. Additionally, the infrastructure utilized shows overlaps with APT43, another threat group sponsored by North Korea.
Once the KoSpy spyware is active on a device, it retrieves an encrypted configuration file from a Firebase Firestore database to avoid detection. The malware then connects to its command and control (C2) server and performs checks to confirm that it is not operating within an emulator. This spyware possesses several alarming data collection capabilities, including:
Interception of SMS and call logs Real-time tracking of the victim's GPS location Reading and exfiltrating files from local storage Using the device's microphone to record audio Using the device's camera to capture photos and videos Capturing screenshots of the device display Recording keystrokes via Android Accessibility ServicesEach of the malicious apps utilizes a distinct Firebase project and C2 server for data exfiltration, with the data encrypted using a hardcoded AES key before transmission.
Although the spyware apps have now been removed from both Google Play and APKPure, users are advised to manually uninstall them and scan their devices using security tools to eliminate any traces of the infection. In severe cases, performing a factory reset may be necessary. It is also recommended to enable Google Play Protect, which can block known malicious apps, thus providing an additional layer of security against KoSpy.
A representative from Google confirmed to BleepingComputer that all identified KoSpy applications have been removed from Google Play, and the corresponding Firebase projects have been taken down. The use of regional languages in these apps indicates that they were designed for targeted attacks.
Before any user installations, Google reported that the latest malware sample discovered in March 2024 had already been removed from Google Play. Users with devices that utilize Google Play Services can benefit from Google Play Protect, which automatically safeguards them against known versions of this malware, even if the apps originate from sources outside of the Play Store.
