Pirates of North Korean government sneaned spy software on Android App Store

A group of pirates with links to the North Korean diet downloaded Android Spyware on Google Play App Store and could encourage some people to download it, according to Cybersecurity Firm Lookout.

In a report published WednesdayAnd exclusively shared with Techcrunch in advance, Lookout details a spy campaign involving several different samples of Android spyware He calls Kospy, which the company attributes with “great confidence” to the North Korean government.

At least one of the Spyware applications was at some point on Google Play and downloaded more than 10 times, according to a snapshot cache from the application page on the official Android store. Lookout included a screenshot of the page in its report.
In recent years, the North Korean pirates have made the headlines, especially for their daring burglaries, as The recent flight of around $ 1.4 billion in Ethereum Crypto Exchange Bybit, in order to advance the country’s prohibited nuclear weapons program. In the case of this new spy software campaign, however, all signs indicate that it is a surveillance operation, based on the functionality of spyware software applications identified by Lookout.

The objectives of the North Korean Spy Software Campaign are not known, but Christoph Hebeisen, Director of Research on Lookout Security Security, told Techcrunch only with only a few downloads, the Spyware application probably targeted specific people.

According to Lookout, Kospy collects “an extensive amount of sensitive information”, in particular: SMS SMS, call newspapers, device location data, files and folders on the device, keys strikes by the user, Wi-Fi network details and installed application list.

Kospy can also save audio, take photos with the phone cameras and capture screenshots of the screen used.

Lookout also found that Kospy was based on FirestoreA cloud database built on Google Cloud Infrastructure to recover “initial configurations”.

Google spokesperson Ed Fernandez told Techcrunch that Lookout had shared his relationship with the company, and “all identified applications have been deleted from the game [and] Firebase Projects disabled ”, including the Kospy sample which was on Google Play.

“Google Play automatically protects users from the known versions of this malware on Android devices with Google Play Services,” said Fernandez.

Google did not comment on a series of specific questions on the report, especially if Google agreed with the allocation to the North Korean regime and other details on the Lookout report.

The report also indicates that Lookout has found some of the third party App Store Apkpure Spyware applications. A spokesperson for Apkpure said that the company had received “no e-mail” from Lookout.

The person, or people, in control of the developer’s email address indicated on the Google Play page, the accommodation of the Spyware application did not respond to the request for comment from Techcrunch.

Hebeisen de Lookout, with Alemdar Islamoglu, a principal security intelligence researcher, told Techcrunch that even if Lookout has no information on who could have been specifically targeted – hacked, indeed – society is convinced that it was a highly targeted campaign, most likely after the inhabitants of South Korea, who speak English or Korean.

The Lookout assessment is based on the names of the applications they have found, some of which are in Korean, and that some applications have Korean language titles and the user interface supports both languages, depending on the report.

Lookout also found that Spyware applications use domain names and IP addresses which were previously identified as being present in malware and Order and control infrastructure Used by the hacking groups of the North Korean government Apt37 and APT43.

“What is fascinating about actors in the North Korean threat is that they seem to be a little frequently managed to bring applications into official application stores,” said Hebeisen.