Lookout Threat Lab researchers have uncovered a new Android surveillance tool named KoSpy, which is believed to target both Korean and English-speaking users. The researchers attributed the spyware with medium confidence to the North Korean Advanced Persistent Threat (APT) group ScarCruft (also known as APT37). The earliest known samples of KoSpy date back to March 2022, with the most recent variants detected in March 2024.
KoSpy is distributed through fake utility applications, which masquerade as helpful tools, including ‘File Manager,’ ‘Software Update Utility,’ and ‘Kakao Security.’ The malicious apps were initially found on the Google Play Store, where they were used to infect devices. Additionally, the spyware leveraged Firebase Firestore, a cloud-based database, for configuration management and receiving updates. However, all affected apps have been removed from the Google Play Store, and Google has deactivated the associated Firebase projects.
ScarCruft has been active since 2012 and primarily targets South Korea. Over time, the group has expanded its reach to other nations, including Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and several Middle Eastern countries.
Thee malicious apps feature basic user interfaces that lead to internal phone settings, while secretly activating the spyware’s surveillance functionalities.
KoSpy’s surveillance mechanism begins by retrieving a configuration from Firebase Firestore. This configuration contains two important parameters: an on/off switch and the address of the command-and-control (C2) server. After obtaining the C2 address, KoSpy performs checks to ensure the device is not an emulator and that the activation date has passed. This date check prevents the spyware from revealing its malicious activity prematurely. Once activated, KoSpy communicates with the C2 server to receive plugins and additional configurations for its surveillance functions.
The plugins enable KoSpy to gather a broad range of sensitive information from the infected device, including SMS messages, call logs, device location, files and folders on local storage, audio recordings, photos, screenshots, screen recordings, keystrokes, Wi-Fi network details, and a list of installed apps.
The stolen data is encrypted using a hardcoded AES key and sent to the C2 servers. Researchers identified five different Firebase projects and C2 servers during their investigation.
In terms of attribution, Lookout researchers noted that KoSpy shares infrastructure and tactics with previous activities attributed to two other North Korean hacking groups: APT43 and APT37. These groups have been observed to have overlapping infrastructure and tactics, making it challenging to pinpoint which specific group is responsible.
