A sophisticated new Android malware campaign linked to North Korean hackers has been discovered, posing a significant security threat that managed to infiltrate Google’s official Play Store.
The spyware, dubbed “KoSpy,” targets Korean and English-speaking users by disguising itself as utility applications while secretly harvesting sensitive data from compromised devices.
This discovery represents the latest evolution in state-sponsored mobile surveillance techniques with the malware remaining active from March 2022 through March 2024, demonstrating the threat actors’ ability to maintain persistence for extended periods.
The malicious applications masqueraded as innocent utilities including “File Manager,” “Software Update Utility,” and “Kakao Security,” offering basic functionality to avoid raising suspicion while covertly deploying spyware components in the background.
One sample discovered on Google Play was downloaded more than ten times before being removed from the platform, indicating a targeted rather than mass-deployment approach.
Researchers at Lookout identified that KoSpy employs a sophisticated two-stage command and control infrastructure that initially retrieves configurations from a Firebase cloud database.
This approach provides the threat actors with flexibility and resilience, allowing them to enable or disable the spyware remotely and change command servers if existing infrastructure is detected or blocked.
Technical analysis revealed the malware performs security checks to ensure it is not running in an emulator and verifies the current date against a hardcoded activation date before initiating its malicious functions.
Once these checks are satisfied, KoSpy begins collecting extensive data including SMS messages, call logs, precise location information, files from local storage, and captures screenshots of the victim’s device.
The spyware can also record audio through the microphone, take photos using the device’s cameras, and track keystrokes by abusing accessibility services.
All collected data is encrypted using a hardcoded AES key before being transmitted to command and control servers, making network-based detection more challenging.
The KoSpy campaign has been attributed with medium confidence to APT37 (also known as ScarCruft), a North Korean state-sponsored cyber espionage group active since 2012.
Lookout’s investigation uncovered significant infrastructure sharing with another notorious North Korean hacking group, APT43 (also known as Kimsuky).
One of the command domains used by KoSpy, st0746[.]net, resolved to an IP address previously associated with domains used in attacks deploying Konni malware, a Windows RAT family linked to APT37.
While examining network connections, researchers identified five different Firebase projects and five distinct command and control servers utilized in this campaign.
This distributed infrastructure highlights the sophisticated nature of the operation and provides additional resilience against takedown efforts.
Google has since removed all identified malicious applications from the Play Store and deactivated the associated Firebase projects.
But this discovery shows the ongoing challenge of securing official app stores against sophisticated state-sponsored threats that continue to develop increasingly stealthy deployment methods.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

source