Not for the first time: North Korean hackers used fake apps to spread spyware on Android

In brief: Malware making its way past Google’s checks and onto the Play Store isn’t a new phenomenon, yet it keeps happening. The latest incident involved spyware that was uploaded to the Android app store by a group of hackers believed to be linked to the North Korean regime.

Lookout Threat Lab researchers discovered the spyware, dubbed KoSpy, attributing it with medium confidence to North Korean APT group ScarCruft, also known as APT37.

The spyware was hidden in the type of fake apps we so often see in these cases: file managers, software update utilities, and security software.

KoSpy is able to pilfer an extensive amount of sensitive information from devices it infects. This includes SMS messages, call logs, device location, access to files and folders on local storage, Wi-Fi network details, and a list of installed applications.

The spyware is also able to perform even more sinister actions: recording and taking photos with a device’s cameras, capturing screenshots or recording the screen while in use, and recording keystrokes by abusing accessibility.

Lookout explains that the collected data is sent to Command and Control (C2) servers after being encrypted with a hardcoded AES key.

KoSpy also leveraged Firebase Firestore, Google’s cloud-hosted database, to receive initial configuration data.

At least one of these infected apps made it onto the Google Play Store and was publicly available for a while. A cached snapshot of the Play Store listing page for the File Manager app shows it was downloaded more than 10 times.

Some of the malicious apps were also found on third-party app store APKPure.

The goals of this campaign beyond the information gathering are unknown. Christoph Hebeisen, Lookout’s director of security intelligence research, told TechCrunch that the low number of downloads from the Play Store and elsewhere suggest the spyware app was likely targeting specific people, probably those in South Korea who speak English or Korean.

Google spokesperson Ed Fernandez told TechCrunch that Lookout shared its report with the company, and all of the identified apps have now been removed from the Play Store. The Firebase projects have also been deactivated.

Last month, Dubai-based crypto exchange Bybit was targeted in a heist perpetrated by notorious state-sponsored North Korean hacking crew Lazarus Group. $1.5 billion in digital assets were stolen, making it the largest crypto heist in history.