The Lookout Threat Lab has uncovered a new Android surveillance tool named KoSpy, linked to the North Korean APT group ScarCruft. This spyware targets Korean and English-speaking users, utilizing fake utility applications to infect devices. It has been distributed via Google Play Store and Firebase Firestore, now secured by Google. KoSpy’s capabilities include collecting sensitive data from victims, and its infrastructure is connected to other malicious North Korean actor activities. Affected: Android users, South Korea, English-speaking users
Keypoints :
- A new Android spyware called KoSpy has been identified.
- Attribution of the spyware to North Korean APT group ScarCruft (APT37) with medium confidence.
- KoSpy targets Korean and English-speaking users through fake utility application lures.
- Uses the Google Play Store and Firebase Firestore for distribution.
- Google has removed the malicious apps from its store.
- KoSpy can collect sensitive information, including SMS messages, call logs, and device location.
- The spyware employs a two-staged Command and Control (C2) management approach.
- Connected infrastructure shows ties to previous activities of other North Korean threat groups.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: C2 communication using HTTP POST requests.
- T1070.001 – Indicator Removal on Host: Encrypted data transmission to evade detection.
- T1102.001 – Web Service: Utilization of Firebase Firestore for configuration data retrieval.
- T1552.001 – Unsecured Credentials: Collection of sensitive data by accessing various device functionalities.
Indicator of Compromise :
- [Domain] joinupvts[.]org
- [Domain] resolveissue[.]org
- [Domain] crowdon[.]info
- [Domain] st0746[.]net
- [Email Address] mlyqwl@gmail[.]com
Full Story: https://security.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37