Cybersecurity researchers at Lookout have discovered KoSpy, a sophisticated Android spyware linked to North Korea that has managed to infiltrate the Google Play Store. The malware is attributed to ScarCruft (APT37), a North Korean hacking group, and disguises itself as legitimate apps. It targets Korean and English-speaking users and can steal sensitive data while remaining undetected for months.
How KoSpy infects devices
According to the researchers, KoSpy disguises itself as a legitimate utility app on a phone. Lookout has found at least five variations of the malware disguising itself as 휴대폰 관리자 (Phone Manager), File Manager, 스마트 관리자 (Smart Manager), 카카오 보안 (Kakao Security), and Software Update Utility.
Given its legitimate-sounding names, it can trick users into installing it. Once installed, it waits for activation. Unlike typical malware, KoSpy does not immediately begin its spying activities. That would be too suspicious. Instead, researchers found that the KoSpy spyware relied on legitimate platforms to fetch updated Command and Control (C2) addresses.
This allows the attackers from North Korea to activate, update, and modify the spyware remotely through Google Play and Firebase Firestore, a Google cloud service, without requiring user interaction, making detection much harder.
What KoSpy can do
Once active, KoSpy can steal SMS messages and call logs. It can track GPS location in real time, access and modify files, record audio, take photos, and capture keystrokes and screenshots.
The spyware encrypts stolen data using AES encryption before sending it back to C2 servers, making interception more difficult. Additionally, attackers can remotely install new plugins, expanding the malware’s spying capabilities without reinfecting the device.
KoSpy is dangerous because its C2 system is more advanced than typical malware. Instead of hardcoding the C2 address into the malware itself, which other malware usually does, it retrieves the latest C2 address from Firebase Firestore. It uses Firebase as a relay and prevents security tools from immediately detecting malicious traffic, especially since Google owns Firestore, which makes requests to it look like legitimate traffic.
Attackers can also shut down or reactivate the spyware remotely and change C2 addresses if one is blocked. This makes KoSpy harder to disrupt than traditional spyware. Google has already removed these malicious apps, but it raises concerns about the security of official app stores. As always, try downloading apps from proper and trusted app stores where possible. Also, be sure to check reviews and make sure your phone has the latest security updates installed.
