Android spyware KoSpy, attributed to North Korean hackers ScarCruft, can monitor SMS, calls, location, files, and screenshots via dynamically loaded plugins.
The new KoSpy malware, which has been active since 2022 and is likely distributed by state-sponsored North Korean hackers, targets Korean and English-speaking users, researchers at cybersecurity company Lookout claim.
The researchers found the malware in several apps on the Google Play Store, which have since been removed, as well as on the third-party store Apkpure.
Most KoSpy-containing apps, such as Phone Manager or Smart Manager, offer basic functionality, such as viewing internal phone settings. Meanwhile, the app Kakao Security doesn’t have any useful functionality and reportedly displays a fake system window and requests multiple permissions.
According to Lookout, KoSpy starts the spyware functionality by first getting a simple encrypted configuration from Firebase Firestore, which contains an “on”/”off” switch and the Command and Control (C2) server address.
“This two-staged C2 management approach provides cybercriminals with flexibility and resiliency. They can enable or disable the spyware and change C2 addresses at any time in the case of a C2 being detected or blocked,” the report reads.
The spyware can collect an extensive amount of sensitive information on the victim's devices using dynamically loaded plugins.
Its capabilities include collecting SMS messages and call logs, accessing files and folders on the local storage, recording audio and taking photos with the cameras, as well as screenshots.
The collected data is sent to the C2 servers after getting encrypted with a hardcoded AES key. During the analysis, researchers say they observed five Firebase projects and five different C2 servers.
According to Lookout, KoSpy’s is similar to previous malicious activities attributed to two North Korean threat groups. One is ScarCruft, also known as APT37, which primarily targets Korean users but also had operations in other countries, including Japan, Russia, and China.
The researchers claim they also found evidence that the group shares infrastructure with another North Korean hacker group, Kimsuky, also known as APT43.
Your email address will not be published. Required fields are markedmarked