U.S. cybersecurity firm Lookout reported that APT37, a hacking group backed by North Korean authorities, has developed a new type of spyware. Spyware is software that installs on devices without user consent and collects and transmits sensitive information.
In a report titled “Lookout Discovers New Spyware by North Korean APT37,” Lookout’s security expert Alemdar Islamoglu revealed that hackers linked to the North Korean regime uploaded Android spyware to Google Play and the App Store, deceiving users into downloading the malicious software KoSpy. KoSpy is an Android-based malware disguised as a utility app. It offers services in both Korean and English, suggesting its targets are Korean and English-speaking individuals.
TechCrunch reported that KoSpy has been downloaded more than ten times from Google Play, indicating an active espionage campaign. It’s worth noting that North Korean hackers recently stole Ethereum worth $1.4 billion from a cryptocurrency exchange, reportedly to fund the regime’s prohibited nuclear weapons program. However, the specific motivation behind this new spyware remains unclear.
Christoph Hebeisen, Lookout’s head of security intelligence research, told TechCrunch that the limited number of downloads suggests the spyware was likely targeting specific individuals.
KoSpy can harvest sensitive data, including SMS messages, call logs, device location, files and folders, keystrokes, Wi-Fi network details, and lists of installed apps. It can also record audio, capture photos using the device’s camera, and take screenshots. Researchers discovered that KoSpy searches through Firestore, one of Google’s cloud services.
Google spokesperson Ed Fernandez said that Lookout recently shared their findings and emphasized Google’s commitment to user protection, stating, “We have removed all identified apps from Google Play.”
