A North Korean advanced persistent threat (APT) group has been actively targeting Korean and English-speaking users with a sophisticated Android surveillance tool, according to cybersecurity firm Lookout.
The spyware, named KoSpy, has been in operation since March 2022, disguising itself as utility applications to deceive unsuspecting users. The malware was distributed via Google Play and leveraged Firebase Firestore to retrieve configuration data and manage its operations remotely.
Cybersecurity experts have attributed KoSpy to ScarCruft (APT37), a North Korean state-sponsored hacking group that has been active since 2012. While its primary focus remains South Korea, the group has expanded its operations to several countries, including China, India, Japan, Kuwait, Nepal, Romania, Russia, Vietnam, and various Middle Eastern nations.
KoSpy has been detected masquerading as various legitimate applications, such as phone managers, file managers, smart utilities, software update tools, and even fake security apps. Once installed, the spyware connects to Firebase Firestore to receive commands, allowing attackers to modify its behavior, control infected devices remotely, and alter its command-and-control (C&C) server as needed.
The malware employs several security evasion techniques, including emulator detection and an activation mechanism based on a hardcoded date.
Once active, KoSpy can collect a vast range of sensitive data, including SMS messages, call logs, device location, screenshots, microphone recordings, photos, keystrokes, and installed app lists. It also monitors Wi-Fi networks and encrypts the stolen data before transmitting it to remote servers.
Lookout researchers uncovered five Firebase projects and multiple C&C servers linked to the malware. The spyware primarily targeted Korean and English-speaking users, with most affected apps featuring Korean language titles and interfaces supporting both languages.
Some KoSpy-infected apps were found on Google Play and third-party app store Apkpure. However, all known malicious apps have now been removed from Google Play following security intervention.
