North Korean Hackers Target Android Users with Spyware

North Korean Hackers Deploy Spyware on Google Play Store

Cybersecurity firm Lookout has revealed that a group of hackers, believed to be associated with the North Korean government, successfully uploaded Android spyware to the Google Play app store.

This allowed them to deceive users into downloading malicious applications. A detailed report, shared exclusively with TechCrunch prior to public release, outlines an espionage operation utilizing multiple variants of Android spyware dubbed KoSpy.

Spyware Distribution and Initial Access

At least one of the compromised applications was briefly available on Google Play, accumulating over 10 downloads before its removal. Lookout’s report includes a screenshot verifying its presence on the official Android marketplace.

While North Korean hackers have recently gained notoriety for large-scale cryptocurrency thefts – including a recent $1.4 billion Ethereum heist from Bybit – intended to fund the nation’s nuclear weapons program, this campaign appears focused on surveillance.

Christoph Hebeisen, Lookout’s director of security intelligence research, indicated to TechCrunch that the limited number of downloads suggests a highly targeted operation.

KoSpy Capabilities and Data Collection

KoSpy is designed to gather a comprehensive range of sensitive data from infected devices. This includes:

• SMS text messages
• Call logs
• Location data
• Files and folders
• Keystrokes
• Wi-Fi network details
• Installed applications

Furthermore, the spyware can activate the device’s microphone for audio recording, utilize the cameras to capture images, and create screenshots of the current screen.

The spyware also leverages Firestore, a cloud database service provided by Google Cloud, to obtain initial configurations.

Google’s Response and Remediation

Google spokesperson Ed Fernandez confirmed to TechCrunch that Lookout’s report was shared with the company. Consequently, all identified applications were removed from the Play Store, and associated Firebase projects were deactivated.

Fernandez stated that Google Play’s built-in protections automatically safeguard users from known malware variants on devices equipped with Google Play Services.

However, Google declined to comment on specific aspects of the report, including confirmation of the attribution to the North Korean regime.

Additional Findings and Third-Party App Stores

The report also revealed the presence of some of the spyware apps on the third-party app store, APKPure. An APKPure spokesperson stated they had not received any communication from Lookout regarding this matter.

Attempts to contact the developer associated with the Google Play listing were unsuccessful.

Targeting and Attribution

Lookout researchers, including Alemdar Islamoglu, a senior staff security intelligence researcher, believe the campaign was highly targeted, likely focusing on individuals in South Korea proficient in either English or Korean.

This assessment is based on the Korean language elements within the app names and user interfaces. The spyware also utilizes domain names and IP addresses previously linked to North Korean government hacking groups, APT37 and APT43.

Hebeisen noted the concerning frequency with which North Korean threat actors appear to successfully infiltrate official app stores.