KosPy: All about the North Korean spyware that attacked Android worldwide

  • KosPy is an advanced spyware distributed through fraudulent apps on the Google Play Store and alternative stores.
  • The malware was linked to North Korean state-run cyber-espionage groups such as APT37 (ScarCruft) and APT43 (Kimsuky).
  • It exfiltrated personal data, messages, calls, and location, and controlled critical phone functions, and was eliminated after an alert from Lookout experts.
Joaquin Romero

9 minutes

Learn all about KosPy, the North Korean spyware.

Android device security is once again in the spotlight following the detection of a sophisticated digital espionage campaign orchestrated from North Korea. The protagonist of this intricate plot is KosPy, a spyware that, disguised as legitimate applications, has managed to infect thousands of mobile phones worldwide, collecting personal and confidential data from users in various countries. In this extensive article, we will detail everything we know about KosPy, from its origin, distribution method, and technical capabilities to the measures taken to stop its spread, along with very useful recommendations for protecting yourself against similar threats in the future.

If you've ever downloaded an app to manage your files or improve the security of your Android from stores like the Google Play Store or alternative platforms, this is of great interest to you. We'll review how this spyware bypassed security controls, what type of information it was capable of collecting, why it's considered a threat linked to North Korean intelligence, and how to detect warning signs before it's too late.

What is KosPy and who is behind it?

KosPy is a spyware program detected on Android devices and directly linked to North Korean state-backed cyberespionage groups. Its existence was documented by the Lookout team, a cybersecurity firm specializing in mobile device threats, who detected that this malware was hosted on seemingly harmless apps available both on the Google Play Store and third-party app stores, such as APKPure.

How to send Live Photos on WhatsApp
Related article:
WhatsApp warns about spyware that compromises mobile security

KosPy is primarily attributed to a group known as APT37 or ScarCruft, widely recognized for its cyberespionage operations linked to the North Korean government for over a decade. Not only that: The digital infrastructure used by KosPy shares connections with another famous group, Kimsuky (APT43), demonstrating a level of coordination and technical resources that only state actors can afford.

Beware of KosPy, the spyware developed by North Korea

Distribution methods: This is how KosPy infiltrated thousands of Androids

The great ingenuity (and danger) of KosPy lies in its mode of propagation, as it managed to overcome Google's strict controls and sneak in as if it were a genuine app., a problem that puts the trust placed in official app stores at risk.

Among the most notable techniques:

  • Fraudulent applications disguised as utility tools (file managers, software update utilities, security enhancements, etc.).
  • Presence of Basic interfaces and titles in English and Korean, which targets a specific audience.
  • Including KosPy in apps like «Mobile phone manager (phone manager)», «File Manager","Smart Manager (smart manager)», «Kakao Security (Kakao Security)» and «Software Update Utility«. All of them legitimately approved on the Google Play Store and even replicated on APKPure.
  • Platform manipulation Firebase as a command and control infrastructure (C2) and to dynamically download additional configurations once the app is installed on the victim's device.

The developer behind these apps operated under the pseudonym "Android Utility Developer," even providing contact email addresses to go unnoticed. Following the researchers' alert, Google not only removed all infected apps from its store but also disabled the associated Firebase projects, thus cutting off the communication channel between compromised devices and the cybercriminals' servers.

How does KosPy act once it infects the device?

The main concerns surrounding KosPy are the wide range of data it can collect and the sophistication of its extraction methods. When you open one of these fake apps, KosPy launches in the background, embedding its malicious code to remain undetected and requesting elevated access permissions.

Among the most important technical capabilities of spyware are:

  • Reading and exfiltration of SMS messages.
  • Obtaining call logs and contacts.
  • GPS location monitoring, real-time user tracking.
  • Access to files and folders stored locally on the phone.
  • Recording of ambient audio using the microphone and capturing photographs through the camera.
  • Capture of screenshots and screen recordings, literally spying on everything that is viewed or done on the mobile.
  • Logging keystrokes and app usage by exploiting accessibility services, which may allow the interception of passwords and credentials.
  • Obtaining information about WiFi networks to which the device connects and list of installed applications.

Data is transmitted encrypted (using a predefined AES algorithm) to C2 servers controlled by North Korean hackers, making it difficult for conventional detection to identify the information leak.

Who was KosPy targeting?

Although KosPy has spread globally, most attacks targeted Korean and English-speaking users.The language of the apps and the permissions requested were one of the clues used to filter out potential victims, clearly targeting South Korea and English-speaking countries. However, analyses also detail infections in other regions, including Japan, Vietnam, Russia, Nepal, China, India, Kuwait, Romania, and several Middle Eastern states.

This indicates a strategic interest at the international level, either to access relevant personal information or to spy on political, business or technological movements.

Use Airtag to spy on an Android mobile
Related article:
Use Airtag to spy on an Android mobile

Campaign evolution and Google's reaction

The first documented movement of KosPy dates back to March 2022, although the most recent samples were traced back to early last year.According to Google and Lookout, once the malware's existence was confirmed, all related apps were removed from the Play Store. Additionally, Google Play Protect currently blocks the installation of known KosPy variants, even if downloaded from outside the official store.

However, There is no public data on how many downloads occurred before the withdrawal or how many variants might have circulated undetected.Therefore, it is recommended to actively monitor app permissions, as well as keep Android and all apps updated with the latest security versions.

Relationship between KosPy, ScarCruft (APT37), Kimsuky (APT43) and North Korean intelligence

The attribution of KosPy to North Korean state cyber espionage is supported by several technical and infrastructure details:

  • The infrastructure used (IP addresses and domains for C2 servers) has been used in previous attacks attributed to North Korea since at least 2019.
  • Malicious applications share techniques, tactics and procedures (TTPs) with ScarCruft/APT37 campaigns.
  • Some of the code and infrastructure has also been linked to Kimsuky/APT43, indicating possible collaboration or resource sharing between the two groups.
  • The language, regional focus, and type of stolen information fit with interests traditionally associated with North Korean intelligence.

This overlap in methods and objectives among North Korean APT groups sometimes means that attribution of a specific attack is not 100% accurate, but the source is clear to security experts.

List of the most relevant infected applications

If you have questions about apps you've installed on your Android, check out these names, which have been confirmed in Lookout reports and reported by the media:

  • Phone Manager
  • File Manager
  • Smart Manager
  • Kakao Security
  • Software Update Utility

These apps were distributed both in Google Play Store as on platforms download alternatives, such as APKPureIf you discover any of these on your device, delete the app immediately and change all passwords. Also, run a security scan with a reputable app.

Related article:
XNSPY, the best spy software for your smartphone

What kind of information did KosPy steal and how did it do it?

The level of access and volume of data collected by KosPy far exceeds what is typical for common mobile malware. The information extracted includes:

  • Text messages (SMS and possibly other messaging services)
  • Full details of call logs: numbers, duration, time and date
  • Coordinates of the mobile's position in real time
  • Documents, images and files from internal storage
  • Sounds picked up from the microphone: conversations, ambiance, etc.
  • Photos taken when the camera was activated in the background
  • Screen captures and recordings, allowing you to see everything the user viewed or typed
  • Keylogging abusing accessibility permissions
  • Wi-Fi network information and list of installed apps

Furthermore, All this information was sent encrypted to the command and control (C2) servers through protected channels, which made it difficult to detect using traditional antivirus tools.

Key tips to avoid falling into traps like KosPy

Experts and analysts consulted after the discovery of KosPy recommend extreme caution, as even installing apps solely from the Google Play Store doesn't guarantee absolute security. Their advice includes:

  • Always check the reviews and ratings of apps, and be wary of those with few comments or negative ratings.
  • Check the developer's name, look for additional information about them, and see if they're a trusted and recognized entity.
  • Pay attention to the number of downloads: if the app is new or has very low download rates, be extra cautious.
  • Make sure your operating system and applications are always up to date, as most security holes are fixed via official patches.
  • Only grant essential permissions to each app. If a file management app requests access to your microphone or camera, this is cause for alarm.
  • If you have any of the identified infected apps installed, remove them immediately, change your passwords, and perform a full security checkup.
  • Consider installing a trusted mobile security solution to increase your level of protection and continuous monitoring.

The global response and the current situation

Following the widespread media coverage of KosPy and the investigation led by Lookout, Google has strengthened its controls and Play Protect system, blocking and eliminating all known variants of this spyware. Furthermore, international collaboration between cybersecurity companies and technology giants is key to neutralizing these threats before they become widespread.

Since the removal of KosPy, no new cases of mass infection through the Google Play Store have emerged, although it is essential to remain vigilant, as attackers are constantly evolving their techniques.

The discovery of KosPy has highlighted the growing sophistication of digital espionage in the Android ecosystem, demonstrating that no one is immune to becoming a victim. The collaboration between state actors and hacking groups like ScarCruft and Kimsuky, the exploitation of official stores, and the ability to disguise themselves as seemingly harmless apps underscore the importance of maintaining a proactive approach to digital protection.

How to turn your Android into a spy camera
Related article:
How to turn your Android into a spy camera

Active monitoring, critical analysis of permits, and continuous updating are the best barriers to these threats. Share the information so that other users are aware of the news..


Follow us on Google News