HQ/EMEAFind out how we can help your business
A newly uncovered North Korean Android spyware dubbed ‘KoSpy’ has breached Google Play and the third-party app store APKPure through at least five malicious applications.
Reports claim that the spyware is tied to a notorious DPRK hacker group, ScarCruft. Moreover, the spyware campaign primarily targets Korean and English-speaking users, posing as apps that provide services such as file managers, security tools, and software updates.
The malicious programs also provide at least some of the claimed functionality while loading the KoSpy malware in the background. The only exception is an app called Kakao Security, which shows a false system window while seeking high-privileged rights.
The researchers also explained that they could link the spyware to APT37 based on its IP addresses.
The KoSpy spyware retrieves a file from a Firebase database to execute its infection process.
According to investigations, once an attack activates the KoSpy spyware on the compromised device, it obtains an encrypted configuration file from a Firebase Firestore database to bypass detection.
Next, it connects to an attacker-controlled C2 server and performs tests to confirm that it is not running in an emulator. The malware then may acquire updated settings from the command-and-control, execute additional payloads, and activate or terminate itself dynamically using an “on/off” switch.
KoSpy is an effective spying tool with broad data collection features. It intercepts SMS messages and call logs, monitors the victim’s real-time GPS location, and retrieves local storage data.
It also records audio with the device’s microphone, captures photographs and videos with the camera, and screenshots of the display. Keystrokes are also recorded using Android Accessibility Services, making KoSpy a highly intrusive spying program.
Furthermore, each malware-laden app uses a separate Firebase project and C2 server for data exfiltration, which is secured with a hardcoded AES key before transmission.
Even though the spyware apps have already been removed from Google Play and APKPure, users will need to manually uninstall them and scan their devices with security software to eliminate any remaining infection.
Lastly, Google assured the public that all applications confirmed to have contained spyware are now unavailable on the Play Store.
