According to cybersecurity company Lookout, a group of hackers with links to the North Korean regime were able to upload Android Spyware to the Google Play App Store and trick some people into downloading it.
In a report published Wednesday and shared only with TechCrunch, Lookout details a spy campaign that includes several different samples of Android Spyware called Kospy.
At least one Spyware app has been downloaded more than 10 times at some point on Google Play, according to the cache snapshot of the app's page on the official Android App Store. Lookout included screenshots of the pages in the report.
Over the past few years, North Korean hackers have grabbed headlines of particularly bold crypto robbers, like the recent theft of Ethereum of about $1.4 billion from Crypto Exchange Bybit. However, for this new Spyware campaign, all indications indicate that this is a monitoring operation, based on the functionality of the SPYware app that Lookout has identified.
According to Lookout, a screenshot of an archived version of the Google Play Store page of an app that pretended to be a file manager but was actually North Korean spyware. (Image: Observation Deck)
While the goals of the North Korean spyware campaign are unknown, Christoph Hebezen, director of security intelligence research at Lookout, told TechCrunch that spyware apps are likely targeting certain people.
According to Lookout, Kospy collects “a large amount of confidential information.” This includes SMS text messages, call logs, device location data for devices, files, folders, user-entered keystrokes, Wi-Fi network details, and a list of installed apps.
Kospy can also record audio, take photos with your phone's camera, and capture screenshots of your screen in use.
Lookout also discovered that Kospy relies on Firestore, a cloud database built on Google Cloud Infrastructure to get “initial configurations.”
Google spokesman Ed Fernandez told TechCrunch that Lookout shared the report with the company, saying, “All identified apps have been removed from Play.” [and] The Firebase project, including the Kospy sample that was on Google Play, is now disabled.
“Google Play uses the Google Play service to automatically protect users from known versions of this malware on Android devices,” Fernandez said.
Google did not comment on a series of specific questions about the report, including whether Google agreed to belong to the North Korean regime or other details about the Lookout report.
Do you have any further information about Contact Us, Kospy, or other spyware? From unprocessed devices and networks, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or by email. You can also contact TechCrunch via SecureDrop.
According to the report, Lookout has discovered some of the spyware apps from the third-party app store Apkpure. An Apkpure spokesperson said the company has not received “any email” from Lookout.
The person who controls the email addresses of developers listed on the Google Play page hosting the Spyware app, or who did not respond to TechCrunch's request for comment.
Lookout's Hebeisen, along with senior staff security intelligence researcher Alemdar Islamoglu, told TechCrunch that although Lookout has no information about who is being targeted, he is confident that this is a highly targeted campaign and can chase after South Koreans who speak English or Koreans.
Lookout's ratings are based on the names of apps that we discover, some of which are Korean, some of which have Korean titles, and the user interface supports both languages.
Lookout also discovered that Spyware apps use domain names and IP addresses previously identified as being present in malware and command and control infrastructure.
“What's fascinating about North Korean threat actors is that they're somewhat successful in putting apps in their official app store,” Hebeisen said.