Ua
Main Technology DPRK spy app infiltrates Google Play — attack details

DPRK spy app infiltrates Google Play — attack details

12 March 2025 15:02
A sign with the logo of the Android operating system. Photo: Joan Cros/NurPhoto
Артур Волков
Редактор

The group of cybercriminals linked to the North Korean authorities posted the spyware app for Android on the Google Play store. They were able to deceive a certain number of users into downloading the software.

TechCrunch reports on this.

What app did North Korean hackers upload to Google Play?

In the research, published on Wednesday, March 12, and provided exclusively to TechCrunch in advance, cybersecurity company Lookout describes the cyberespionage campaign, which includes several samples of an Android malware that the company has dubbed KoSpy. According to experts, it is "highly likely" that this spyware was developed by the North Korean authorities.

According to Lookout, at least one of these malicious apps has been available on Google Play for some time and, according to the app’s page data, has had more than 10 downloads. In the report, the company provided the screenshot of the app’s page from the official Android store.

The malicious app on Google Play from North Korean cybercriminals. Photo: Lookout

In recent years, hackers from North Korea have often made headlines for large-scale cryptocurrency thefts, such as the recent theft of approximately USD 1.4 billion in Ethereum from the Bybit exchange, which, according to speculation, could have been used to support the country’s banned nuclear program. However, according to Lookout, this case was an espionage operation, which is confirmed by the functionality of the detected malicious apps.

"In the archived version of Google Play, we found the File Manager app, which is actually North Korean spyware," it is said in the Lookout research.

It is unclear what the ultimate goal of this cyberattack was, but Christoph Hebeisen, director of security research at Lookout, suggested in his comment to TechCrunch that the small number of downloads indicates that it may have targeted specific individuals.

According to Lookout, KoSpy collects a large amount of sensitive data, including:

  • SMS messages
  • call logs;
  • geolocation information;
  • files and folders on the device;
  • keystrokes entered by the user;
  • information about connected Wi-Fi networks;
  • a list of installed applications.

KoSpy is also capable of making audio recordings, taking photos from smartphone cameras, and taking screenshots.

In addition, Lookout found that KoSpy used Firestore, a cloud database on Google Cloud infrastructure, to obtain initial configurations.

Google spokesperson Ed Fernandez confirmed to TechCrunch that Lookout shared its report with Google, after which all the detected apps were removed from Play, and projects in Firebase were deactivated, including the version of KoSpy that was on Google Play.

As a reminder, popular Chrome browser extensions were hacked by hackers. They uploaded malicious updates, which put more than 3 million users at risk.

We also wrote that the hidden code was found in Bluetooth chips used in billions of devices around the world. Experts believe that it can be used by attackers to penetrate these devices.