North Korean KoSpy Malware Targets Google Play Users

Security researchers have uncovered the 'KoSpy' spyware, linked to North Korean hacking group APT37, infiltrating Google's Play Store and third-party APKPure with at least five malicious apps. Disguised as utility apps, KoSpy secretly collected sensitive data, such as SMS messages, call logs, and screenshots, and targeted English and Korean-speaking users. The spyware leveraged Firebase Firestore and hardcoded AES keys for data exfiltration to North Korean-controlled servers. Google's Play Protect was able to detect and warn users of the malware, which has since been removed from the app stores. Despite the low number of downloads, the campaign is believed to have specifically targeted individuals in South Korea. The spyware campaign has been active since March 2022, with the latest sample found in March 2024, although the command and control servers are currently inactive.