North Korean Hackers Distributed Android Spyware via Google Play

A North Korean APT actor has been targeting Korean and English-speaking users with an Android surveillance tool distributed via Google Play, cybersecurity firm Lookout warns.

Dubbed KoSpy, the spyware has been in use since March 2022, posing as utility applications to infect unsuspecting users, and abusing Google Play and the Firebase Firestore for app distribution and configuration retrieval.

The surveillance tool has been attributed to the North Korean APT ScarCruft, also known as APT37, which has been active since 2012, targeting mainly entities in South Korea, along with China, India, Japan, Kuwait, Nepal, Romania, Russia, Vietnam, and Middle Eastern countries.

KoSpy has been observed masquerading as five applications: a phone manager, file manager, smart manager, software update utility, and a fake security application.

After the lure application has been installed, KoSpy fetches from Firebase Firestore configuration data that allows threat actors to enable and disable the spyware and change its ...