A group of hackers with links to the North Korean regime uploaded Android Spyware to the Google Play App Store and managed to deceive some people to download it, according to Cybersecurity Lookout.
In a report published WednesdayAnd exclusively shares with TechCrunch ahead of time, the Lookout describes a espionage campaign that includes many different examples of a spyware Android called Kospy, which the company “highly trusts” to the North Korean government.
At least one of the spyware apps were at some point on Google Play and downloaded more than 10 times, according to a stored snapshot of the app page on the official Android App Store. The lookout included a page screenshot of the page in its report.
In recent years, North Korean hackers have grabbed headlines specifically for their bold cryptographic cryptographs, such as the recent theft of about $ 1.4 billion in Ethereum by Crypto Exchange Bybit, with the aim of promoting the country’s banned nuclear weapons program. In the case of this new spyware campaign, however, all signs show that this is a surveillance business, based on the functionality of the Spyware -determined applications.
The goals of the North Korean Spyware campaign are not known, but Christoph Hebeisen, director of Lookout for Security Intelligence Research, told TechCrunch that with only a few shots, the spyware app is probably aimed at specific people.
According to the Lookout, Kospy collects “an extensive amount of sensitive information”, including: SMS text messages, call logs, device location data, files and folders on the device, keyboards imported by users, Wi-Fi network details and listing list.
KOSPY can also record audio, take photos with the phone cameras and record screenshots of the screen used.
Lookout also found that Kospy supported FirefighterA cloud database based on the Google Cloud infrastructure to recover “original configurations”.
Google Ed Fernandez spokesman told TechCrunch that Lookout shared its report with the company and “all specified applications were removed from the play [and] Firebase Projects turned off ”, including the KOSPY sample on Google Play.
“Google Play automatically protects users from well -known versions of this malicious software on Android devices with Google Play services,” Fernandez said.
Google did not comment on a number of specific questions about the report, including whether Google has agreed with North Korea’s performance and other details on the Lookout report.
Contact us
Do you have more information about KOSPY or other spyware? From a device and non-work network, you can contact Lorenzo Franceschi-bicchierai safely on the signal on +1 917 257 1382, or through the telegram and keybase @lorenzofb or email. You can also contact TechCrunch via securedrop.
The report also said that Lookout found some of the Spyware apps in the third -party Appure App Store. An APKPure spokesman said the company received “no email” from the Lookout.
The person or people under the control of the developer’s email address mentioned on the Google Play page hosting the spyware app did not respond to TechCrunch’s request for comments.
Lookout’s Hebeisen, along with Alemdar Islamoglu, a senior staff safety researcher, told TechCrunch that while Lookout has no information about who may have been specifically targeted – it has efficiently engraved – the company is convinced that it was a highly targeted campaign by English or Korea.
Lookout evaluation is based on the names of the applications they found, some of which are in Korean and that some of the applications have Korean language titles and the user environment supports both languages, according to the report.
Lookout also found that Spyware applications use IP sector names and addresses previously identified as malicious software and command infrastructure and controls used by North Korea Hacking groups APT37 and APT43.
“The thing that is exciting for North Korean threat actors is that it is, it seems, somewhat successful to get applications in official application stores,” Hebeisen said.
