ScarCruft, a North Korean advanced persistent threat (APT) group, has been behind a new Android surveillance tool called KoSpy. This malware has been active since March 2022 and primarily targets Korean and English-speaking users. KoSpy is distributed through seemingly legitimate utility apps, such as file managers and phone managers, available on Google Play and third-party platforms like Apkpure. These apps appear harmless to unsuspecting users, offering typical device functionality, but in reality, they act as gateways for deploying the malicious spyware once installed. The tool has been linked to ScarCruft, also known as APT37, a North Korean cyber espionage group known for targeting governments, media, and tech sectors worldwide.
Once installed, KoSpy performs extensive surveillance, collecting SMS messages, call logs, location data, and even screenshots and photos.
The spyware can also record audio from the device’s microphone, track Wi-Fi networks, capture keystrokes, and retrieve files from the device. It is designed to function stealthily, avoiding detection by masquerading as a legitimate utility app. A key feature of KoSpy is its ability to retrieve configuration data and command-and-control (C&C) server addresses from Firebase Firestore.
This allows attackers to update the malware’s functionality and change the C&C server at any time, which makes it harder to track and block.
Lookout, the cybersecurity firm that uncovered KoSpy’s operation, identified several Firebase projects and C&C servers tied to the campaign. The malware leverages Firebase Firestore’s cloud infrastructure, a legitimate service, to retrieve configuration settings and evade detection. Google Play Protect has helped mitigate some of the risks by blocking known versions of KoSpy. However, the malware was still able to operate undetected on devices until it was removed from Google Play. Lookout’s research highlights how these types of surveillance tools are distributed across legitimate platforms, making it more challenging for users to distinguish between malicious and safe apps.
