# **Spyware from North Korea Found in Google Play Store Applications**
## **Introduction**
Cybersecurity experts have identified a recent surge of harmful Android applications that stealthily gathered sensitive information from users and sent it to intelligence agencies in North Korea. Some of these applications were even listed on the Google Play Store, managing to evade Google’s safety protocols. The spyware, referred to as **KoSpy** by the security firm Lookout, masqueraded as utility applications for file management, software updates, and enhancing device security.
## **Functionality of the Spyware**
KoSpy is engineered to covertly gather a variety of personal information from compromised devices. The malware can:
– Access **SMS texts** and **call history**
– Monitor **device location**
– Extract **files and directories** from local storage
– Record **audio** and capture **images** using the device’s camera
– Take **screenshots** and log **screen activity**
– Track **keystrokes** through accessibility features
– Acquire **Wi-Fi network information**
– List **installed apps**
The gathered information is encrypted using a preset **AES key** prior to being sent to command-and-control (C2) servers managed by North Korean intelligence agents.
## **Identified Malicious Applications**
The spyware was detected in at least five distinct applications, which include:
1. **휴대폰 관리자 (Phone Manager)**
2. **File Manager**
3. **스마트 관리자 (Smart Manager)**
4. **카카오 보안 (Kakao Security)**
5. **Software Update Utility**
These applications were accessible on both the **Google Play Store** and the **third-party Apkpure marketplace**. The email of the developer linked with these apps was **mlyqwl@gmail[.]com**, and the privacy policy was hosted at **goldensnakeblog.blogspot[.]com**.
## **Response from Google**
Google has since taken down the malicious applications from the Play Store and eliminated the associated **Firebase configuration database**, utilized to oversee the spyware’s settings. However, the number of users affected or the duration the apps were available before detection has not been disclosed by Google.
A representative from Google mentioned that **Google Play Protect** can identify and eliminate some malicious applications, even those installed from non-Play Store sources. Nonetheless, this incident underscores the challenges of automated security checks in preventing advanced spyware from breaching official app stores.
## **Perpetrators Behind the Attack**
Lookout analysts suspect that the spyware is associated with **North Korean advanced persistent threat (APT) groups**, particularly:
– **APT37 (ScarCruft)**
– **APT43 (Kimsuki)**
These organizations are recognized for executing cyber-espionage operations targeting individuals and entities globally.
## **Staying Safe**
Android users should exercise heightened caution when installing applications, particularly those requiring extensive permissions. Here are some important security recommendations:
– **Refrain from downloading apps from unknown developers** or unverified app stores.
– **Review app permissions** prior to installation—be cautious of apps asking for access to SMS, call histories, or device storage.
– **Utilize Google Play Protect** to scan installed applications for malware.
– **Keep your device updated** regularly to fix security loopholes.
– **Observe device behavior** for any unusual activities, like unexpected battery drainage or excessive data usage.
If you suspect that your device may be infected, look for the signs of compromise outlined in Lookout’s [comprehensive report](https://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37).
## **Conclusion**
The revelation of **KoSpy** emphasizes the increasing complexity of cyber threats and the necessity for caution when installing mobile applications. Despite Google’s actions to eliminate the harmful apps, users need to stay alert and implement best security practices to safeguard their personal information from cyber-espionage activities.
