North Korean hackers accused of publishing malware on Google Play

A hacker group allegedly linked to the North Korean government has placed several malicious Android apps on Google Play and tricked some of the platform’s users into installing the infected software, according to cybersecurity firm Lookout.

Image source: lookout.com

The campaign included several samples of the KoSpy malware, at least one of which was downloaded more than a dozen times, according to a screenshot from the Google Play store. The North Korean hackers often use their skills to steal money, experts say, but in this case, their goal is to collect data — KoSpy is a spy app. It collects “a huge amount of sensitive information,” including SMS messages, call logs, device location data, files on the device, keyboard input, Wi-Fi network information, and lists of installed apps. KoSpy records audio, takes photos with cameras, and takes screenshots. It used the Firestore cloud database on Google Cloud infrastructure to obtain “initial configurations.”

Lookout reported its findings to Google, after which Firebase projects were deactivated, KoSpy apps were removed, and the malware itself was added to the automatic detection system. Lookout experts found some KoSpy apps in the alternative APKPure app store, but its administration did not confirm the fact of the cybersecurity experts’ appeal. The alleged victims of the campaign are people from South Korea – some of the infected apps discovered had Korean names, as well as interfaces in Korean and English. References to domain names and IP addresses previously associated with other malware campaigns, for which hackers from the DPRK were accused, were found in the code of the apps.