A Dangerous Spyware Hidden in Apps
North Korean hacking groups secretly placed a new and dangerous spyware called KoSpy inside five apps on Android devices.These apps were available for download on Google Play and APKPure, a third-party app store.
Cybersecurity experts found that this spyware has been active since March 2022 and was designed to steal personal data from Android users. The group behind this attack, known as APT37 (ScarCruft), has a history of targeting users through malicious software. The KoSpy spyware disguised itself as useful apps, such as file managers, security tools, and software updaters. This tricked users into installing it on their devices without realizing its true purpose.
The infected apps identified by researchers include:
- 휴대폰 관리자 (Phone Manager)
- File Manager (com.file.exploer)
- 스마트 관리자 (Smart Manager)
- 카카오 보안 (Kakao Security)
- Software Update Utility
These apps appeared to work as expected, but in the background, they secretly loaded the KoSpy spyware. However, one app, Kakao Security, did not offer any real functionality. Instead, it only displayed a fake system message while requesting dangerous permissions.
Google has confirmed that these harmful apps have now been removed from Google Play. However, users who downloaded them before the removal still need to manually delete them to stay safe.
How KoSpy Steals Information
Once installed, KoSpy starts spying on the device without the user noticing. It first retrieves hidden instructions from a Firebase Firestore database. This helps it avoid detection by security tools. Then, it connects to a remote command and control (C2) server, which gives it further instructions.
To make sure it is not being examined by security researchers, KoSpy checks if it is running in an emulator. If it finds signs of an emulator, it will not activate, making it harder for experts to analyze the malware.
Once active, KoSpy can steal a wide range of data from the infected device. Its spying capabilities include:
- Intercepting SMS messages and call logs
- Tracking the victim’s real-time location using GPS
- Reading and stealing files stored on the device
- Using the microphone to record audio
- Accessing the camera to take photos and videos
- Capturing screenshots of the device’s display
- Logging keystrokes using Android Accessibility Services
All the stolen data is encrypted before being sent to the hacker-controlled servers. Each infected app uses a separate Firebase project and C2 server to send this stolen information, making it more difficult for cybersecurity experts to shut them all down at once.
How to Stay Safe from KoSpy
Even though these spyware apps have been removed from Google Play and APKPure, users who installed them must take action to remove any traces of infection. Cybersecurity experts recommend manually uninstalling these apps and scanning the device with a security tool. In severe cases, a factory reset may be necessary to completely remove KoSpy from the device.
Google Play Protect, a security feature on Android, can detect and block known malware, including KoSpy. Users should keep this feature enabled to help prevent future infections.
A Google spokesperson confirmed that all KoSpy-related apps and Firebase projects have been taken down. They also stated that Google Play Protect will automatically protect Android users from known versions of this malware, even if they download apps from sources outside Google Play.
This attack highlights the importance of downloading apps only from trusted sources and being careful about which permissions are granted to apps. If an app requests access to sensitive information like messages, location, microphone, or camera, users should be cautious and verify its legitimacy before granting access.
