Android spyware ‘KoSpy’ spread by suspected North Korean APT

A novel Android spyware believed to originate from North Korean state-sponsored group APT37 collects data such as SMS messages, call logs and location via dynamically loaded plugins.

Dubbed "KoSpy," the malware was discovered by Lookout Threat Lab researchers and detailed in a blog post published Wednesday.

The spyware was spread through apps disguised as utilities such as “File Manager” and “Software Update Utility,” and targeted Korean- and English-speaking users. Previously available in the Google Play Store, the malicious apps have since been removed by Google. The apps were also spread through third-party app stores such as Apkpure, according to Lookout.

When a user installed and opened the apps, they would typically be met with a simple interface, such as a simple file manager, or be redirected to internal system utilities on the user’s phone.

Meanwhile, in the background, KoSpy would load configuration files from Firebase Firestore consisting of a command-and-control (C2) server address and “on/off” switch for the spyware. Google has since deactivated Firebase projects associated with the campaign, Lookout noted.

Once a C2 connection is established and KoSpy ensures the device is not an emulator, the malware downloads plugins and additional configurations for its surveillance functions via HTTP POST requests.

Using dynamically loaded plugins, KoSpy is capable of collecting a wide range of information from the victim’s device, including SMS messages, call logs, device location, files and folders on local storage, WiFi network details and a list of installed applications.

Additionally, the spyware can record audio, take photos with device cameras, capture screenshots and screen recordings, and record keystrokes by abusing built-in accessibility features. Data collected by KoSpy is encrypted using a hardcoded AES key before being sent off to the attacker’s C2 server.

Lookout identified five C2 servers and Firebase projects tied to the KoSpy campaign. Analyzing the IP addresses tied to the C2 server domains revealed clues that the spyware was tied to North Korea-backed cyberespionage group APT37, also known as StarCruft.

Related domains were previously involved in attacks deploying the Konni desktop malware that were linked to APT37, for example. However, Lookout also uncovered domains tied to the same IP addresses believed to be used by another notorious North Korean nation-state cyber threat actor, APT43, aka Kimsuky.

Lookout ultimately assessed with medium confidence that KoSpy originated from APT37 and believes that APT37 and APT43 likely use shared infrastructure.

APT37 has been active since 2012 and primarily targets users in South Korea, although it has also conducted operations in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait and the Middle East, according to Lookout.

KoSpy is believed to have existed since March 2022, with the latest sample acquired in March 2024.