A group of hackers with links to the North Korean regime uploaded Android spyware onto the Google Play app store and were able to trick some people into downloading it, according to cybersecurity firm Lookout.
In a report published on Wednesday, and exclusively shared with TechCrunch ahead of time, Lookout details an espionage campaign involving several different samples of an Android spyware it calls KoSpy, which the company attributes with “high confidence” to the North Korean government.
At least one of the spyware apps was at some point on Google Play and downloaded more than 10 times, according to a cached snapshot of the app’s page on the official Android app store. Lookout included a screenshot of the page in its report.
In the last few years, North Korean hackers have grabbed headlines especially for their daring crypto heists, like the recent theft of around $1.4 billion in Ethereum from crypto exchange Bybit, with the goal of furthering the country’s banned nuclear weapons program. In the case of this new spyware campaign, however, all signs point to this being a surveillance operation, based on the functionality of the spyware apps identified by Lookout.
The goals of the North Korean spyware campaign are not known, but Christoph Hebeisen, Lookout’s director of security intelligence research, told TechCrunch that with only a few downloads, the spyware app was likely targeting specific people.
According to Lookout, KoSpy collects “an extensive amount of sensitive information,” including: SMS text messages, call logs, the device’s location data, files and folders on the device, user-entered keystrokes, Wi-Fi network details, and a list of installed apps.
KoSpy can also record audio, take pictures with the phone’s cameras, and capture screenshots of the screen in use.
Lookout also found that KoSpy relied on Firestore, a cloud database built on Google Cloud infrastructure to retrieve “initial configurations.”
Google spokesperson Ed Fernandez told TechCrunch that Lookout shared its report with the company, and “all of the identified apps were removed from Play [and] Firebase projects deactivated,” including the KoSpy sample that was on Google Play.
“Google Play automatically protects users from known versions of this malware on Android devices with Google Play Services,” said Fernandez.
Google did not comment on a series of specific questions about the report, including whether Google agreed with the attribution to the North Korean regime, and other details about Lookout’s report.
The report also said Lookout found some of the spyware apps on the third-party app store APKPure. An APKPure spokesperson said the company did not receive “any email” from Lookout.
The person, or people, in control of the developer’s email address listed on the Google Play page hosting the spyware app did not respond to TechCrunch’s request for comment.
Lookout’s Hebeisen, along with Alemdar Islamoglu, a senior staff security intelligence researcher, told TechCrunch that while Lookout doesn’t have any information about who specifically may have been targeted — hacked, effectively — the company is confident that this was a highly targeted campaign, most likely going after people in South Korea, who speak English or Korean.
Lookout’s assessment is based on the names of the apps they found, some of which are in Korean, and that some of the apps have Korean language titles and the user interface supports both languages, according to the report.
Lookout also found that the spyware apps use domain names and IP addresses that were previously identified as being present in malware and command and control infrastructure used by North Korean government hacking groups APT37 and APT43.
“The thing that is fascinating about the North Korean threat actors is that they are, it seems, somewhat frequently successful in getting apps into official app stores,” said Hebeisen.
