North Korean Hacker Group ScarCruft Deploys 'KoSpy' Malware for Android Surveillance Operations

The North Korean state-sponsored hacking group ScarCruft (also known as APT37) has been identified deploying a new Android spyware dubbed ‘KoSpy‘ to conduct cyber espionage activities targeting Korean and English language users. The malware’s activity was first detected in March 2022, with the latest samples discovered in March 2024. KoSpy has been distributed through various channels including the official Google Play Store and third-party platforms like APKPure.

Malware Masquerading as Legitimate Utility Applications

KoSpy has been distributed disguised as legitimate utility applications such as “File Manager,” “Phone Manager,” “Smart Manager,” “Software Update Utility,” and “Kakao Security.” These applications provide actual functionality to avoid raising user suspicion while simultaneously activating spyware capabilities in the background.

Once installed, KoSpy can collect text messages, call logs, location data, files, audio recordings, and screenshots. The malware is designed to dynamically load additional plugins to expand its surveillance capabilities.

Sophisticated Command and Control Infrastructure

Upon execution, KoSpy connects to Firebase Firestore cloud database to retrieve configuration information, including the address of its command and control (C2) server. This two-stage C2 approach is designed to help attackers evade detection by allowing them to easily change server addresses.

The malware also performs verification checks to confirm it’s running on a real device rather than an emulator and is programmed to activate only after specific hardcoded dates. This strategy helps prevent early detection during security analysis.

KoSpy can collect a comprehensive range of data from infected devices, including text messages, call histories, location information, internal storage files, screenshots, keystroke data, Wi-Fi network details, and lists of installed applications. It also has capabilities for audio recording and photo capture, enabling thorough surveillance of victims’ daily activities.

The malware can expand its functionality by downloading additional plugins and configuration information at specific times. However, researchers note that the C2 server is currently inactive, making it difficult to determine the exact role of these plugins.

Links to Other North Korean Hacking Operations

Researchers have identified similarities between KoSpy’s attack infrastructure and campaigns previously attributed to another North Korean hacking group known as Kimsuky (APT43). This suggests possible sharing of technologies and infrastructure or collaboration between North Korean cyber espionage organizations.

Google has removed the malicious applications from the Play Store and blocked the most recently discovered malware samples before user installation. The company has also implemented measures to automatically detect and remove the malware through Google Play Protect on Android devices.

Based on the malware’s use of region-specific languages, Google analysts believe this attack is likely a targeted campaign focused on specific individuals rather than a mass infection attempt.

Protection Recommendations

Cybersecurity experts emphasize that users should only install applications from trusted sources and be cautious of apps requesting excessive permissions. Verifying developer information and analyzing reviews before downloading apps is particularly important.

Keeping operating systems and applications updated to the latest versions minimizes security vulnerabilities, and using trusted mobile security solutions provides effective protection.

The KoSpy campaign demonstrates how state-sponsored hacking groups continue to evolve their targeting of mobile environments. North Korean hackers in particular are using sophisticated distribution methods and multi-stage command and control systems to evade detection, highlighting the need for continued vigilance against mobile security threats.