Once again, North Korean Hackers utilize counterfeit apps to distribute spyware on Android Devices.
Summary: The infiltration of malware past Google’s assessment and into the Play Store is not a new occurrence, and it continues to persist. The most recent event involved spyware that was submitted to the Android app store by a hacker group believed to be associated with the North Korean government.
Researchers from Lookout Threat Lab identified the spyware, named KoSpy, and assigned it medium confidence to the North Korean APT group referred to as ScarCruft, also known as APT37.
This spyware was concealed within the typical types of fraudulent applications often seen in these situations: file managers, software update tools, and security applications.
KoSpy has the capability to extract a significant amount of sensitive data from the infected devices. This encompasses SMS messages, call logs, device location, access to local files and folders, Wi-Fi network information, and a comprehensive list of installed applications.
Additionally, the spyware can execute more nefarious actions: capturing photos and videos using the device’s cameras, taking screenshots or recording the device screen during use, and logging keystrokes by exploiting accessibility features.
Lookout clarifies that the gathered data is transmitted to Command and Control (C2) servers after being encrypted using a hardcoded AES key.
KoSpy also utilized Firebase Firestore, Google’s cloud-based database, to acquire initial configuration data.
At least one of the infected applications was available on the Google Play Store for some time. A cached version of the Play Store listing for the File Manager app indicates it was downloaded more than 10 times.
Some malicious applications were also discovered on alternative app store APKPure.
The specific objectives of this campaign, apart from data acquisition, remain unclear. Christoph Hebeisen, Director of Security Intelligence Research at Lookout, informed TechCrunch that the relatively low download figures from the Play Store and other sources imply that the spyware app was likely aimed at particular individuals, particularly those in South Korea who speak English or Korean.
A Google spokesperson, Ed Fernandez, told tech news site TechCrunch that Lookout has shared their findings with the company, and all identified apps have since been removed from the Play Store. The Firebase projects have also been shut down.
Last month, the Dubai-based cryptocurrency exchange Bybit was targeted in a heist conducted by the infamous state-backed North Korean hacking group Lazarus. This incident resulted in the theft of $1.5 billion in digital assets, marking it as the largest crypto heist recorded in history.
