Hackers linked to the North Korean regime successfully bypassed security measures to upload malicious Android spyware onto the official Google Play store. According to a new report from cybersecurity firm Lookout, the malware—dubbed “KoSpy”—was designed to exfiltrate sensitive user data and was likely part of a highly targeted espionage campaign.
A Targeted Surveillance Operation
While North Korean state-sponsored actors have gained notoriety for massive cryptocurrency heists—such as the theft of $1.4 billion in Ethereum from the Bybit exchange—this latest operation signals a shift toward focused surveillance. Lookout researchers identified at least one instance where a KoSpy-infected app reached the Google Play store and was downloaded more than 10 times.
Christoph Hebeisen, director of security intelligence research at Lookout, suggests the low download count indicates that the attackers were not casting a wide net, but rather targeting specific individuals. The malware was also discovered on the third-party platform APKPure.
What Data Does KoSpy Steal?
Once installed, KoSpy functions as a powerful surveillance tool. It is capable of harvesting an extensive range of private information, including:
- SMS text messages and call logs
- GPS location data and device file systems
- User keystrokes and Wi-Fi network history
- Installed application lists
Beyond data exfiltration, the spyware can record audio, capture images using the device’s cameras, and take real-time screenshots of the user’s activity.
Infrastructure and Attribution
Lookout attributes the malware to North Korean operators with “high confidence,” citing the use of domain names and IP addresses previously linked to the notorious APT37 and APT43 hacking groups. The apps often featured interfaces in both English and Korean, suggesting the campaign was aimed at speakers of those languages, likely within South Korea.
The malware utilized Google’s own Firestore cloud database infrastructure to retrieve configuration files, a tactic designed to blend in with legitimate network traffic.
Google’s Response
Upon being notified by Lookout, Google took immediate action. Spokesperson Ed Fernandez confirmed that the identified applications were removed from the Play Store and the associated Firebase projects were deactivated. “Google Play automatically protects users from known versions of this malware on Android devices with Google Play Services,” Fernandez stated.
Despite the removal, the incident highlights a persistent challenge for mobile security. As Hebeisen noted, North Korean threat actors have shown a concerning ability to successfully navigate the submission processes of official app stores, necessitating constant vigilance from both platform providers and end-users.