A hacking group linked to the North Korean regime successfully uploaded Android spyware onto the Google Play app store, tricking unsuspecting users into downloading it, according to a new report by cybersecurity firm Lookout.
In a report published Wednesday Lookout detailed an espionage operation involving multiple variants of an Android spyware dubbed KoSpy. The cybersecurity firm attributed the spyware campaign with “high confidence” to the North Korean government.
At least one of the spyware-laced apps was available on Google Play and had been downloaded more than 10 times, based on a cached version of the app’s store page included in Lookout’s report.
North Korean hackers have made headlines for their high-profile cryptocurrency heists, such as the recent $1.4 billion Ethereum theft from crypto exchange Bybit. However, this latest spyware campaign appears to focus on surveillance rather than financial theft.
According to Christoph Hebeisen, Lookout’s Director of Security Intelligence Research, the low number of downloads suggests that this was likely a highly targeted campaign aimed at specific individuals rather than a widespread attack.
Lookout’s analysis found that KoSpy collects an extensive range of sensitive data, including:
- SMS messages and call logs
- Real-time device location tracking
- User keystrokes (keylogging)
- Installed apps and Wi-Fi network details
- Files and folders stored on the device
Beyond data collection, KoSpy can also record audio, capture photos with the phone’s cameras, and take screenshots of the screen in use. Additionally, Lookout discovered that the malware leveraged Firestore, a Google Cloud-based database, to retrieve initial configuration details.
Google’s Response and Removal
Google spokesperson Ed Fernandez confirmed that Lookout shared its findings with the company, leading to the removal of all identified spyware apps from Google Play and the deactivation of related Firebase projects, including the KoSpy variant found on Google Play.
“Google Play automatically protects users from known versions of this malware on Android devices with Google Play Services,” Fernandez stated.
However, Google declined to comment on whether it agreed with Lookout’s attribution to North Korea, as well as other specifics from the report.
Spyware Also Found on APKPure
In addition to Google Play, Lookout found spyware-infected apps on the third-party app store APKPure. When contacted for comment, an APKPure spokesperson claimed that the company had not received any communication from Lookout regarding the malicious apps.
Furthermore, the email address linked to the developer account hosting the spyware on Google Play did not respond to TechCrunch’s request for comment.
Although Lookout could not confirm the exact victims of this campaign, Hebeisen and Alemdar Islamoglu, a senior staff security intelligence researcher, suggested that the attack likely targeted South Korean users who speak English or Korean.
Their assessment is based on the fact that the discovered spyware apps had Korean-language titles and interfaces supporting both English and Korean. Additionally, Lookout traced the apps’ domain names and IP addresses back to infrastructure previously associated with North Korean hacking groups APT37 and APT43.
“The thing that is fascinating about North Korean threat actors is that they are, it seems, somewhat frequently successful in getting apps into official app stores,” Hebeisen noted.
As North Korean hacking groups continue to find ways to bypass app store security measures, the incident underscores the ongoing cybersecurity threats posed by state-sponsored hackers and the importance of strict app security measures on major platforms.
