Introduction
A group of hackers associated with North Korea's government recently managed to upload spyware onto Google's official Android app store, successfully deceiving several users into downloading malicious apps, cybersecurity firm Lookout revealed in a report shared exclusively with TechCrunch.
The KoSpy Operation
In the detailed report published on Wednesday, Lookout described this espionage operation involving multiple variants of spyware, collectively referred to as "KoSpy." Lookout attributes this spyware with "high confidence" directly to North Korean government-linked threat actors.
One of these malicious apps appeared briefly on Google Play and was downloaded more than ten times, as evidenced by a cached version of the app's listing captured by Lookout. The cybersecurity firm also shared screenshots of the compromised app's Google Play listing.
North Korean Cyber Activities
North Korean hackers have increasingly drawn attention in recent years, notably for their high-profile cryptocurrency thefts, including a staggering $1.4 billion Ethereum heist from crypto exchange Bybit. These illicit activities reportedly help finance the regime's banned nuclear program. Unlike the financially motivated attacks, however, the newly discovered KoSpy campaign seems specifically designed for surveillance and espionage.
Targeted Approach
According to Christoph Hebeisen, Lookout's Director of Security Intelligence Research, the limited downloads suggest a highly targeted approach. Although specific targets have not been identified, the spyware likely aimed at individuals in South Korea who speak English or Korean. The suspicion arises from the presence of Korean-language app titles and user interfaces supporting both languages.
Spyware Capabilities
KoSpy possesses extensive data collection capabilities. It captures sensitive personal data such as:
- SMS messages
- Call logs
- GPS location information
- Files stored on the device
- Keystrokes
- Wi-Fi network details
- Lists of installed applications
It can also remotely activate the device's camera and microphone to record audio, take photographs, and capture screenshots.
Google's Response
Lookout also uncovered that KoSpy utilized Google Cloud's Firestore service to fetch its initial configurations. Upon learning of the breach, Google promptly removed all identified malicious applications from the Play Store and deactivated associated Firebase projects. Ed Fernandez, a spokesperson for Google, confirmed the removal and stated, "Google Play automatically protects users from known versions of this malware through Google Play Services."
However, Google declined to comment directly on Lookout's attribution of the spyware to North Korea or provide further details from the report.
Additional Distribution Channels
Additionally, Lookout identified malicious KoSpy apps on the third-party app store APKPure. A spokesperson from APKPure stated the company had not received any notification or warning from Lookout regarding the malware.
The developer listed on Google Play associated with the spyware has not responded to requests for comment from TechCrunch.
Attribution to North Korean Threat Actors
Lookout's analysis further connects the spyware's infrastructure—domain names and IP addresses—to previously known malware campaigns conducted by North Korean hacking groups APT37 and APT43.
Hebeisen remarked, "What's fascinating about North Korean threat actors is their recurring ability to infiltrate official app stores successfully, illustrating their persistent threat to cybersecurity."
Image credit: Vox. The Vox Image used in this article is the property of Vox.
