North Korean government-backed hackers successfully uploaded spyware to the Google Play Store, where it was downloaded by unsuspecting users, according to a report released Wednesday by cybersecurity firm Lookout. The malware, named KoSpy, was designed to conduct extensive surveillance, collecting call logs, messages, and even activating a device's camera and microphone.
Lookout, which attributes the campaign to North Korea with "high confidence," said the spyware was likely aimed at a small, targeted group of individuals rather than the general public. "With only a few downloads, the spyware app was likely targeting specific people," said Christoph Hebeisen, Lookout's director of security intelligence research.
At least one of the KoSpy-infected applications was listed on the Google Play Store and downloaded more than ten times before being removed, according to Lookout's findings. The firm shared screenshots of the app's now-deleted store page. The malware was also discovered on the third-party app store APKPure.
KoSpy was capable of collecting detailed user data, including SMS text messages, call logs, GPS location, stored files, keystrokes, and lists of installed applications. The spyware could also remotely record audio, take photos, and capture screenshots, raising concerns about its potential use for espionage. Lookout identified that the spyware used Google's Firestore, a cloud database infrastructure, to manage its configurations.
Google confirmed that it had removed all identified spyware applications from the Play Store and deactivated related Firebase projects after receiving Lookout's report. "Google Play automatically protects users from known versions of this malware on Android devices with Google Play Services," said Google spokesperson Ed Fernandez. However, the company declined to comment on whether it agreed with Lookout's assessment that the malware was linked to the North Korean government.
Lookout researchers found connections between KoSpy and previously identified North Korean hacking groups, including APT37 and APT43, which have been involved in past cyber espionage campaigns. The spyware's infrastructure, including its domain names and IP addresses, had been linked to North Korea's malware and command-and-control networks.
Although the specific targets of this attack remain unknown, Lookout noted that the malware's design and language settings suggested a focus on users in South Korea who speak Korean or English. The spyware's interface supported both languages, and some of the compromised applications had Korean-language titles.
North Korea's cyber operations have made headlines in recent years, often involving cryptocurrency thefts to fund the country's weapons programs. In a separate case, hackers affiliated with the regime reportedly stole $1.4 billion in Ethereum from crypto exchange Bybit. However, Lookout believes this latest malware campaign was more focused on espionage rather than financial gain.
