Spyware in bogus Android apps is attributed to North Korean group
North Korean state-backed hackers infected Android devices with malware intended to spy on Korean and English speakers, researchers said Wednesday.
Mobile and cloud security firm Lookout labeled the malware KoSpy and said it appears to be the worth of an advanced persistent threat group tracked as ScarCruft or APT37.
KoSpy, which the company spotted on the Google Play Store and third-party app stores, is able to gather significant amounts of sensitive data, including call logs, text messages, files, audio, screenshots and user location, according to the report.
The malware has been embedded in bogus utility apps with titles such as File Manager, Software Update Utility and Kakao Security, Lookout said. Google has taken down all of the known infected apps, the researchers said.
A Google spokesperson issued a statement saying that the latest malware sample was removed from Google Play before any user installations.
“Google Play Protect automatically protects Android users from known versions of this malware on devices with Google Play Services, even when apps come from sources outside of Play,” the statement said.
KoSpy was first seen in March 2022 and new samples were spotted as recently as last year, Lookout said.
“More than half of the apps have Korean language titles and the UI supports two languages: English and Korean,” Lookout said. “The messages and text fields in the app are shown in Korean if the device language is set to Korean and in English otherwise. “
KoSpy appears to share infrastructure with the North Korean state-sponsored group tracked as Kimsuky or APT43. Those hackers are reportedly behind a wave of spearphishing attacks that deploy malware to steal information, a campaign known as forceCopy.
ScarCruft, the group linked to KoSpy, has been operating since 2012. While it mainly targets South Koreans, it has also attacked users in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait and several countries in the Mideast, Lookout said.
An espionage campaign targeting media organizations and high-profile academics was attributed to ScarCruft in January.
In October, researchers linked a malware operation in Southeast Asia to the group.
Editor's Note: Story updated 1:40 p.m. Eastern time with statement from Google.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.