A group of hackers with ties to the North Korean regime infiltrated the Google Play app store with Android spyware, managing to deceive some users into downloading it, as reported by cybersecurity firm Lookout.
In a report released recently, Lookout disclosed an espionage campaign involving different variants of an Android spyware named KoSpy, which the company confidently links to the North Korean government.
One of the spyware applications was available on Google Play and had been downloaded more than 10 times, based on a cached snapshot of the app’s page on the official Android store. Lookout included a screenshot of the page in their report. In recent years, North Korean hackers have made headlines for bold crypto heists, but this case appears to be a surveillance operation based on the spyware app’s functionalities identified by Lookout.
The motives behind the North Korean spyware campaign remain unknown. Christoph Hebeisen, Lookout’s director of security intelligence research, suggested that with only a few downloads, the spyware app likely targeted specific individuals.
According to Lookout, KoSpy gathers a wide range of sensitive information, including SMS messages, call logs, device location data, files and folders on the device, keystrokes, Wi-Fi network details, and installed apps list. Additionally, KoSpy can record audio, take photos using the phone’s cameras, and capture screenshots.
Lookout also discovered that KoSpy utilizes Firestore, a cloud database on Google Cloud infrastructure, to fetch initial configurations.
Google spokesperson Ed Fernandez informed TechCrunch that Lookout shared its report with Google, prompting the removal of all identified apps from Play and deactivation of Firebase projects, including the KoSpy sample on Google Play. Google Play Services automatically protects users from known versions of this malware on Android devices.
Google did not provide specific comments on details of the report, such as attributing the spyware to the North Korean regime or other aspects outlined by Lookout.
The report also mentioned that Lookout found some spyware apps on third-party app store APKPure. Although APKPure claimed to have received no communication from Lookout.
The individual in charge of the developer’s email address listed on the Google Play page hosting the spyware app did not respond to TechCrunch’s request for comment.
Lookout’s Hebeisen and Alemdar Islamoglu, a senior staff security intelligence researcher, expressed confidence that the campaign targeted individuals, possibly in South Korea who speak English or Korean, based on the apps’ names in Korean and a user interface supporting both languages.
Additionally, Lookout found that the spyware apps used domain names and IP addresses previously associated with North Korean government hacking groups APT37 and APT43.
Hebeisen remarked on the North Korean threat actors’ ability to infiltrate official app stores, noting their apparent success in doing so.
