North Korean Hackers Successfully Upload Android Spyware to Google Play Store

Sophia Steele

Sophia Steele

March 12, 2025 · 4 min read
North Korean Hackers Successfully Upload Android Spyware to Google Play Store

A cybersecurity firm, Lookout, has uncovered a sophisticated espionage campaign involving Android spyware, which was uploaded to the Google Play app store by hackers linked to the North Korean regime. The spyware, dubbed KoSpy, was designed to collect an extensive amount of sensitive information from infected devices, including SMS text messages, call logs, location data, and more.

According to Lookout's report, at least one of the spyware apps was available on Google Play and was downloaded more than 10 times. A cached snapshot of the app's page on the official Android app store revealed that the app pretended to be a file manager, but was actually a malicious tool designed to surveil users.

The goals of the North Korean spyware campaign are still unknown, but Lookout's director of security intelligence research, Christoph Hebeisen, believes that the app was likely targeting specific individuals, given the low number of downloads. The spyware's functionality suggests that it was designed for surveillance purposes, rather than financial gain, which is a common motive behind North Korean cyber attacks.

KoSpy's capabilities are alarming, to say the least. It can record audio, take pictures with the phone's cameras, capture screenshots, and even retrieve "initial configurations" from Firestore, a cloud database built on Google Cloud infrastructure. The spyware also collects an extensive amount of sensitive information, including SMS text messages, call logs, location data, files and folders on the device, user-entered keystrokes, Wi-Fi network details, and a list of installed apps.

Google has since removed the identified apps from Play and deactivated the associated Firebase projects. A Google spokesperson stated that Google Play automatically protects users from known versions of this malware on Android devices with Google Play Services. However, Google declined to comment on specific questions about the report, including whether they agree with the attribution to the North Korean regime.

Lookout's report also revealed that some of the spyware apps were found on the third-party app store APKPure. An APKPure spokesperson claimed that the company did not receive any email from Lookout. The developer's email address listed on the Google Play page hosting the spyware app did not respond to requests for comment.

Lookout's researchers believe that the campaign was highly targeted, likely aimed at individuals in South Korea who speak English or Korean. This assessment is based on the names of the apps, some of which are in Korean, and the user interface supports both languages.

The spyware apps also use domain names and IP addresses that were previously identified as being present in malware and command and control infrastructure used by North Korean government hacking groups APT37 and APT43. This suggests a clear link between the KoSpy campaign and the North Korean regime.

The incident highlights the ongoing threat posed by North Korean hackers, who have been known to orchestrate daring crypto heists, such as the recent theft of around $1.4 billion in Ethereum from crypto exchange Bybit. The fact that they were able to upload spyware to the Google Play app store underscores the need for vigilance and robust security measures to protect against these types of threats.

In conclusion, the discovery of KoSpy serves as a stark reminder of the evolving cyber threats emanating from nation-state actors. As the cybersecurity landscape continues to shift, it is essential for technology companies, governments, and individuals to remain proactive in detecting and mitigating these types of threats.

Similiar Posts

Copyright © 2024 Starfolk. All rights reserved.