North Korean Hackers Infiltrate Google Play with Spyware Apps

A group of hackers linked to the North Korean government managed to infiltrate spyware into the Google Play Store, tricking users into downloading malicious apps. Cybersecurity firm Lookout identified the spying campaign, attributing it with "high confidence" to North Korean actors.

North Korean threat actors seem to succeed with some frequency in infiltrating apps in official stores, says Christoph Hebeisen, Director, Security Intelligence Research, Lookout. North Korea has been linked to multiple cyber operations in recent years, including cryptocurrency thefts and espionage campaigns. In this case, the spyware campaign, dubbed "KoSpy" by Lookout, appears to be focused on intelligence gathering rather than financial gain.

The technical infrastructure used in this campaign matches domains and IP addresses previously associated with North Korean hacking groups such as APT37 and APT43. These groups are known for their focus on strategic targets, including governments, military organizations and entities in South Korea.

Lookout says that KoSpy collects a wide range of sensitive data, such as text messages, call logs, device location, files, keystrokes, Wi-Fi network details and lists of installed applications. In addition, the spyware can record audio, take photos, and capture screenshots.

KoSpy used Firestore, a Google Cloud database, to retrieve initial configurations. This allowed the attackers to keep a low profile and avoid initial detection. Although Google removed the malicious apps and disabled the associated Firebase projects, KoSpy's presence in the Google Play Store highlights vulnerabilities in the app review processes.

Lookout also found samples of KoSpy on APKPure, a third-party app store. Although APKPure claimed not to have received notifications from Lookout, the spyware's presence on multiple platforms suggests a coordinated and well-planned campaign.

The KoSpy campaign reflects a growing trend in the use of spyware by state actors for targeted surveillance objectives, reports TechCrunch. Lookout suggests that the targets likely included individuals in South Korea, given the presence of Korean-language application names and user interfaces, underscoring the need for improved detection and review mechanisms on platforms such as the Google Play Store, as well as the importance of cybersecurity education for end users.