Cybersecurity researchers at Lookout Threat Lab have uncovered a sophisticated Android surveillance tool dubbed “KoSpy,” which appears to be the work of North Korean state-sponsored hackers.
This newly discovered spyware has been active since March 2022, with the most recent samples detected in March 2024, indicating a long-running and persistent cyber espionage campaign.
The malicious software, attributed with medium confidence to the North Korean advanced persistent threat group known as APT37 (also called ScarCruft), masquerades as legitimate utility applications to trick users into installing it on their devices.
Once installed, KoSpy can exfiltrate an extensive range of sensitive user data through a sophisticated command and control infrastructure, predominantly targeting Korean and English-speaking individuals.
Discovery and Attribution of the North Korean Surveillance Campaign
KoSpy represents a significant evolution in North Korean cyber espionage capabilities, with evidence linking it to the notorious APT37 group that has been active since 2012.
Researchers at Lookout identified multiple samples of the spyware masquerading as five different utility applications, including “Phone Manager,” “File Manager,” “Smart Manager,” “Kakao Security,” and “Software Update Utility.”
These applications present users with basic interfaces that appear legitimate, often opening related internal phone settings or providing simple functionality to avoid raising suspicion.
Behind this benign facade, however, lies sophisticated surveillance code that begins its malicious activities by first retrieving configuration data from Firebase Firestore, a cloud database service offered by Google.
The analysis conducted by Lookout researchers revealed a deliberate targeting pattern focused on Korean and English-speaking users, with more than half of the malicious applications featuring Korean language titles.
The user interface of these applications supports both Korean and English languages, dynamically selecting which to display based on the device’s language settings.
This bilingual capability, combined with infrastructure connections to previously identified North Korean cyber operations, led researchers to attribute the campaign to APT37 with medium confidence.
This North Korean group has an established history of targeting South Korea primarily, but has also conducted operations against numerous other countries including Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and several Middle Eastern nations.
Technical Sophistication of KoSpy’s Surveillance Mechanisms
The technical architecture of KoSpy demonstrates considerable sophistication, employing a two-stage command and control (C2) infrastructure that provides the threat actors with flexibility and resilience.
After installation, the spyware first connects to Firebase Firestore to retrieve an encrypted configuration containing two essential parameters: an “on/off” switch and the address of its command and control server.
This approach allows the operators to enable or disable the spyware remotely and change C2 addresses if their infrastructure is detected or blocked by security researchers or authorities.
Additionally, KoSpy implements defensive measures to avoid detection, including checks to ensure the device is not an emulator and that the current date has passed a hardcoded activation date, preventing premature exposure of its malicious functionality.
Once activated, KoSpy establishes communication with its command and control servers through two different types of requests: one to download additional malicious plugins and another to retrieve configuration settings for its surveillance functions.
The configuration request typically receives a JSON document that determines various operational parameters, including how frequently the spyware should communicate with its C2 server, what messages to display to users in Korean and English, URLs for downloading plugins, and class names to dynamically load.
These requests contain encrypted and Base64-encoded payloads with clearly visible field names, including a unique victim identifier generated from the device’s hardware fingerprint and Android ID.
Although researchers observed five different Firebase projects and five different C2 servers during their analysis, they noted that while some KoSpy command and control domains remain online, they were not responding to client requests at the time of investigation.
The spyware’s data collection capabilities are extensive and deeply invasive, facilitated by dynamically loaded plugins that can access virtually all sensitive information on a victim’s device.
KoSpy can collect SMS messages, call logs, precise device location, files and folders stored on local storage, audio recordings, photos captured using the device’s cameras, screenshots, and screen recordings.
It can even record keystrokes by abusing accessibility services, gather information about WiFi networks, and compile lists of installed applications.
All this collected information is encrypted using a hardcoded AES key before being transmitted to the command and control servers, making interception and analysis more difficult for security researchers and network defenders.
Distribution Methods and Connections to Broader North Korean Cyber Operations
The distribution strategy for KoSpy involved both official and unofficial application channels, with some samples having been available for download from the Google Play Store alongside third-party app stores such as APKPure.
Although none of the malicious applications remain available on Google Play at present, researchers discovered a cached snapshot of a Play Store listing page for the “File Manager” app that showed it had been publicly available and downloaded more than ten times.
The listing revealed that the developer account used the name “Android Utility Developer” with the contact email address and included a link to a privacy policy hosted at a Blogspot address.
The threat actors even created promotional content for their malicious application, uploading a YouTube video to enhance its legitimacy.
What makes this campaign particularly noteworthy is its infrastructure connections to other North Korean threat groups, suggesting potential collaboration or resource-sharing among state-sponsored actors.
Lookout researchers observed that one of KoSpy’s command and control domains, st0746.net, resolved to an IP address located in South Korea that had previously been associated with numerous potentially malicious Korea-related domain names.
Some of these domains, such as naverfiles.com and mailcorp.center, have been linked to attacks targeting Korean users with Konni, a Windows Remote Access Trojan (RAT) attributed to APT37.
Another domain connected to the same infrastructure, nidlogon.com, was previously identified by Microsoft as part of the command and control infrastructure of Thallium, also known as Kimsuky or APT43, which is another notorious North Korean state-sponsored hacking group.
These infrastructure overlaps highlight a common characteristic of North Korean cyber operations, where different threat groups often share resources, targeting strategies, and tactics, techniques, and procedures (TTPs).
This sharing of infrastructure makes attribution to specific actors more challenging but also provides valuable intelligence about the broader ecosystem of North Korean cyber capabilities.
The connections between KoSpy and both APT37 and APT43 infrastructure suggest a sophisticated and coordinated approach to cyber espionage by North Korean state-sponsored threat actors, potentially indicating collaboration between different hacking units or centralized resource management within North Korea’s cyber warfare program.
The discovery of KoSpy represents a significant development in the landscape of mobile surveillance tools deployed by state-sponsored threat actors.
Its sophisticated technical capabilities, stealthy operation, and connections to established North Korean APT groups highlight the ongoing evolution of cyber espionage tactics targeting mobile devices.
The campaign’s specific focus on Korean and English-speaking users suggests strategic intelligence gathering objectives aligned with North Korean state interests, particularly its long-standing focus on South Korea and Western nations.
Security researchers continue to monitor the development of KoSpy and related infrastructure, as the malware family remains active with new samples still being detected.
The removal of these applications from Google Play and the deactivation of associated Firebase projects by Google represents important defensive measures, but the threat actors’ ability to distribute through alternative channels means users must remain vigilant against seemingly innocent utility applications that may harbor sophisticated spyware.
As mobile devices increasingly store our most sensitive personal and professional information, they will continue to be prime targets for state-sponsored surveillance operations like the KoSpy campaign discovered by Lookout.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
![Pinterest](https://pinterest.com/pin/create/button/?url=https://gbhackers.com/north-korean-hackers-use-google-play-malware/&media=https://i3.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7dGQv9NHLvgUvDUDf1FIwc0EPJIB9YGiWw3omEiBGa8HfReCHtQCSND8-HwPuJQJisvxc2efE1l0lWfWBc5OqfCmeT3F-wttfgaGVtV4dLxbB2hZWNJTHimNbHlI-MumN_j8HwLDlMMHnrmi9IgLnWODIXZQ-jBEAR66kwdoxdc26JhdSkGpGg0romOoi/s16000/North%20Korean%20Hackers%20Use%20Google%20Play%20Malware.webp?w=1200&resize=1200,0&ssl=1&description=Cybersecurity researchers have uncovered a sophisticated Android surveillance tool Google Play Malware dubbed "KoSpy," .){kind=link}