Researchers from Lookoutcybersecurity company focused on mobile devices, they have discovered a group of applications for Android with Spyware that collected and sent all kinds of user data to cybercounts linked to the government of North Korea. These applications managed to overcome the controls of Google And they have been housed in Google Play Storealthough they were already eliminated.
Malware, what lookout calls Kospyit passes through Utilities applications such as file management on the device, apps update and operating system, and security improvements, among others. Behind this useful appearance, the apps collect a wide variety of data, including SMS messages, call records, location, files, screenshots, as well as the ability to record audio and the infected device screen, subsequently sending information to servers controlled by North Korean intelligence. These applications are directed To English and Korean speakers And they have been available, in addition to Google Play Store, in the third -party apps store Apkpure.
These are applications with North Korean malware
The Kospy spy software has been found in these 5 applications:
- 휴대폰관리자 (Phone Manager).
- File Manager.
- 스마트관리자 (Smart manager).
- 카카오보안 (Kakao Security).
- Update Utility software.
According to Lookout researchers, the IP addresses lodging Kospy command and control servers have been previously linked to at least three domains that, since 2019, They have housed infrastructure used in spy operations of North Korea.
Apps depended on a control and control infrastructure in two phases that obtained configurations of a database housed in Firebasethe Google web application development platform. This database has also been eliminated by Google.
Most applications offered at least part of the promised functionality together with Kospy. The exception is Kakao Securitywhich only shows A misleading system in which you ask for various permits that lookout describes as ‘risky’; Among them, to scan the user files and applications in the cloud.
Spyware with advanced espionage functions
The report indicates that ‘Kospy can collect a lot of sensitive information on victims devices with the help of dynamically loaded accessories’. Its capabilities include:
- SMS messages compilation.
- Obtaining call records.
- Recovery of the device location.
- Access to local storage files and folders.
- Audio recording and photo taking with the cameras.
- Screen capture or screen recording in use.
- Key pulsation registration by abuse of accessibility services.
- Collection of details of Wi-Fi networks.
- Generation of an installed application list.
The collected data are sent to the control and control servers (C2) after being encrypted with a predefined AES key. Lookout researchers identified 5 different projects in Firebase and 5 different C2 servers during the analysis of Kospy samples, whose details are in the Report Commitment Indicators section.
Linking with North Korea
Lookout attributes the Kospy spyware, with an average confidence, to the North Korean group of advanced persistent threats (APT) called Scarcructwhich is also known as APT37. It is a cyberspage group sponsored by the state of North Korea and has been active since 2012.
He also points out that there is evidence of shared infrastructure between Kospy and APT43, another well -known group sponsored by the North Korean state, also known as Kimsuky. It is known that North Korean threat actors have infrastructure, objectives and TTPS (techniques, tactics and procedures) that overlap, which sometimes makes attribution difficult for a specific actor.
These data, together with the connection of your infrastructure with previous malicious activities aimed at Korean users and the linguistic approach of malicious applicationsThey allow Lookout to establish a strong relationship between the Kospy and North Korea Spyware.