A newly discovered Android spyware, KoSpy, has been identified as a sophisticated surveillance tool linked to the North Korean APT group ScarCruft (APT37). This malicious software has been actively targeting South Korean, Japanese, Indian, Russian, and Middle Eastern users since its emergence in March 2022, with the most recent samples detected in March 2024.

KoSpy disguises itself as a legitimate utility application to deceive users into installing it. The identified fake applications include Phone Manager, File Manager, Smart Manager, Kakao Security, and Software Update Utility.

According to researchers, these apps were distributed via the Google Play Store and Firebase Firestore; both have since removed the malicious software and deactivated associated Firebase projects.

Once installed, KoSpy masquerades as a functional application, opening system-related settings views. However, in the background, the spyware retrieves an encrypted configuration film from Firebase Firestore, which dictates its activation status and command-and-control (C2) server address.

This is an image of lookout northkorea ss1 — *File Manager malicious application. | Source: Lookout*

This dual-stage C2 management system allows attackers to remotely enable or disable the malware and change the C2 when needed to evade detection.

KoSpy performs several security checks before executing its malicious functions to avoid detection. These include verifying that the device is not an emulator and ensuring the current date is past a hardcoded activation date.

KoSpy is designed to collect a broad range of sensitive data from infected devices. Using dynamically loaded plugins, it can:

Collect SMS messages and call logs.
Track device location.
Access files and folders.
Record audio and take photos.
Capture screenshots and record the screen.
Log keystrokes via accessibility service abuse.
Gather WiFi network details.
Compile a list of installed applications.

Researchers discovered that the collected data is encrypted with a hardcoded AES key before being transmitted to the C2 servers. They also identified five Firebase projects and C2 servers linked to KoSpy operations.

This is an image of lookout northkorea ss2 — *KoSpy sample in the Kakao Security app stuck at a fake permission request screen. | Source: Lookout*

KoSpy sends two HTTP POST requests to its C2 servers: one for downloading plugins and another for retrieving surveillance configuration settings. The latter request returns a JSON document containing encrypted settings, including C2 ping frequency, messages displayed in Korean and English, URL for plugin downloads, and class name for dynamic loading.

“KoSpy sends two different types of requests to the C2 address. One downloads plugins while the other retrieves configurations for the surveillance functions. The plugin request is supposed to receive an encrypted, compressed binary; however, this could not be confirmed since no C2 was active during the analysis,” researchers explained.

While some KoSpy C2 domains remain active, they do not respond to client requests, indicating that the attackers may have changed infrastructure to avoid detection.

In the News: Google updates Chrome Extension policy after Honey scam