.png){kind=logo}
A North Korean-linked hacking group successfully uploaded spyware to Google Play, tricking some users into downloading it, cybersecurity firm Lookout reported.
The spyware, named KoSpy, was part of an espionage campaign attributed with ‘high confidence’ to the North Korean government, according to Lookout. At least one spyware-laced app was available on Google Play, with more than 10 downloads before its removal. A cached version of the app’s page confirmed its presence, and Lookout shared a screenshot in its report.
The previous campaigns launched by North Korea focused on cryptocurrency attacks, but the recent spy activity has changed this. The spy disguised itself as a file manager to extract sensitive user data, including SMS messages, call logs, location details, keystrokes, Wi-Fi information, installed apps, etc. KoSpy is also said to be able to record audio, take photos, and capture screenshots. Malware configuration settings are integrated through Firestore, a cloud database present on Google Cloud.
Following Lookout’s findings, the tech giant removed all identified spyware apps from the Google Play Store and deactivated associated Firebase projects. Google spokesperson Ed Fernandez confirmed that “Google Play automatically protects users from known versions of this malware on Android devices with Google Play Services.” However, Google did not comment on whether it agreed with Lookout’s attribution of the spyware to North Korea.
Lookout also found KoSpy-infected apps on the third-party app store APKPure. A spokesperson for APKPure stated they had not received any communication from Lookout regarding the issue. The individuals behind the email address linked to the spyware-hosting Google Play page did not respond to TechCrunch’s request for comment.
Researchers noted the campaign likely targeted English and Korean-speaking individuals in South Korea, citing app names, user interfaces, and malware-linked IP addresses associated with North Korean hacking groups APT37 and APT43.
