A recent report by cybersecurity firm Lookout reveals that a group of hackers with ties to the North Korean regime successfully uploaded Android spyware to the Google Play app store, tricking users into downloading it. This alarming espionage campaign, detailed in a report shared exclusively with TechCrunch, revolves around multiple samples of an Android spyware identified by Lookout as KoSpy. The firm attributes this activity with “high confidence” to the North Korean government.
According to Lookout, at least one version of the spyware app was available on Google Play and reportedly downloaded more than 10 times, as evidenced by a cached snapshot of the app's page. The report includes a screenshot of the page, highlighting the ease with which malicious software can infiltrate legitimate platforms.
In recent years, North Korean hackers have garnered attention for high-profile cybercrimes, such as the bold theft of approximately $1.4 billion in Ethereum from the Bybit crypto exchange. These incidents often aim to fund the country’s illicit nuclear weapons program. However, this new spyware campaign appears to serve a different purpose, focusing primarily on surveillance.
The specific objectives of the North Korean spyware campaign remain unclear. Christoph Hebeisen, Lookout’s director of security intelligence research, informed TechCrunch that the limited number of downloads indicates the spyware was likely aimed at specific individuals. Lookout reports that KoSpy is capable of collecting a vast array of sensitive information, including:
SMS text messages Call logs Device location data Files and folders stored on the device User-entered keystrokes Wi-Fi network details A list of installed applicationsAdditionally, KoSpy can record audio, capture images using the phone's cameras, and take screenshots of the user’s activities. This extensive data collection underscores the significant threat posed by this spyware.
Lookout also discovered that KoSpy utilizes Firestore, a cloud database built on Google Cloud infrastructure, to retrieve its initial configurations. In response to the report, Google spokesperson Ed Fernandez confirmed that Lookout shared its findings and that all identified apps were promptly removed from Google Play. Moreover, Firebase projects associated with the spyware were deactivated.
Fernandez stated, “Google Play automatically protects users from known versions of this malware on Android devices with Google Play Services.” However, Google did not provide comments regarding specific inquiries about the report, including whether they concurred with the attribution to the North Korean regime.
In addition to Google Play, Lookout found some of the spyware applications on the third-party app store APKPure. A spokesperson for APKPure mentioned that the company had not received any communication from Lookout regarding this issue. Meanwhile, the individual or individuals behind the developer's email address listed on the Google Play page hosting the spyware app did not respond to TechCrunch’s request for comment.
Lookout’s security researchers, including Hebeisen and senior staff security intelligence researcher Alemdar Islamoglu, expressed their belief that this was a highly targeted campaign, likely aimed at individuals in South Korea who speak either English or Korean. This assessment is based on the names of the apps, some of which are in Korean, and the user interface supporting both languages.
Lookout's investigation also identified that the spyware apps were utilizing domain names and IP addresses previously linked to malware and command-and-control infrastructure associated with North Korean hacking groups APT37 and APT43. Hebeisen noted, “The thing that is fascinating about the North Korean threat actors is that they are, it seems, somewhat frequently successful in getting apps into official app stores.”
This incident highlights the ongoing risks posed by state-sponsored cyber threats, particularly as they continue to evolve and adapt to exploit legitimate platforms for malicious purposes. Users must remain vigilant and take proactive measures to protect their devices from such sophisticated attacks.
