Suspected North Korea Group Targets Android Devices with Spyware
A North Korean state-sponsored group used the Google Play store and a third-party app store to infect Android devices with spyware aimed at English- and Korean-speaking users.
The spyware, dubbed KoSpy by researchers with cybersecurity firm Lookout, was used by the advanced persistent threat group APT37 – also known as ScarCruft – to collect a wide range of sensitive data from victims’ devices. Its capabilities included collecting text messages and call logs, finding the device’s location, recording key strokes, accessing files and folders, and recording audio and taking photos.
The malware also could take screenshots, record while the device was being used, collect Wi-Fi information, and create a list of installed apps.
KoSpy came under the cover of five fake utility apps with names like “File Manager,” “Software Update Utility,” “Smart Manager,” and “Kakao Security” and were distributed through Google Play and Firebase Firestore database.
Google has removed all the apps noted in Lookout’s report from Google Play and deactivated the associated Firebase projects, according to the cybersecurity firm.
Espionage and Financial Motivations
The wide use of mobile devices makes them a target for spyware and other financially motivated cyberattacks, according to Zscaler’s ThreatLabz group. Will Seaton, ThreatLabz’s senior product marketing manager, wrote last year that 96.5% of people access the internet with a mobile device and 59% of internet traffic is generated by mobile devices.
That helped lead to a 111% growth in mobile attacks using spyware between June 2023 and May 2024, Seaton wrote.
Spyware also have become a tool used for espionage. North Korea’s government uses spyware and other malware to collect sensitive data and to bring money into the regime to help fund its weapons programs. In addition, commercial spyware from the likes of NSO Group, Cy4Gate, RCS Lab, and Intellexa have been used by governments to track particular groups of people, like journalists, activists, and human rights groups.
KoSpy Arrives on the Scene
KoSpy is relatively new, with early samples dating back to 2022, according to Alemdar Islamoglu, a security intelligence engineer at Lookout. The most recent samples were found in March 2024.
“The samples with utility application lures have basic interfaces which open up the related internal phone settings view,” Islamoglu wrote in a report. “For instance, the Software Update Utility opens up the Software Update screen under the System settings. The File Manager app functions as a simple file browser with some additional features. Kakao Security app on the other hand, doesn’t have any useful functionality and displays a fake system window and requests multiple permissions.”
That said, behind the basic functions tied to the app names, KoSpy also deploys its spyware functionality. It first gets a simple, encrypted configuration from Firebase Firestore that has two parameters. The first is an on-off switch, the second the command-and-control (C2) server address.
Pinging the C2
“This two-staged C2 management approach provides the threat actor with flexibility and resiliency,” he wrote. “They can enable or disable the spyware and change C2 addresses at any time in the case of a C2 being detected or blocked.”
Once it has the C2 address, the spyware makes sure the device isn’t an emulator and that its current date is past the hardcoded activation date to ensure the spyware doesn’t prematurely indicate its malicious nature.
KoSpy sends two types of requests to the C2, including one that downloads plugins. The other pulls in configurations for its surveillance functions, including setting how often the C2 will ping the spyware, messages in Korean and English that the user will receive, the URL for downloading a plugin, and the class name to load.
According to Islamoglu, more than half of the apps have titles written in Korean, while the UI supports both languages. The messages and text fields will show in either Korean or English, depending on how the Android device is set.
Shared Infrastructure
There is overlap between APT37 and another North Korean-backed threat group, the higher-profile APT43, also known as Kimsuky. One of the C2 domains for KoSpy is located in South Korea and linked to other malicious Korea-related domain names via shared infrastructure.
Two domain names were involved in attacks that used the Konni desktop malware, a Windows remote access trojan (RAT) linked to APT37. Another domain uses the same IP address that Microsoft had reported was tied to C2 infrastructure used by APT43.
“North Korean threat actors are known to have overlapping infrastructure, targeting and TTPs [tactics, techniques, and procedures] which makes attribution to a specific actor more difficult,” Islamoglu said, adding that attributing KoSpy to APT37 was based on the shared infrastructure and common targeting.
