Summary: A North Korean APT group, ScarCruft, has been distributing a surveillance tool known as KoSpy via Google Play, targeting primarily Korean and English-speaking users. The spyware, disguised as utility applications, enables extensive data collection from infected devices, including SMS, call logs, and location data. Lookout, a cybersecurity firm, has identified multiple instances of this malware and noted its active use since March 2022.
Affected: Android users, specifically Korean and English-speaking individuals
Keypoints :
- KoSpy has been attributed to the North Korean APT group ScarCruft, active since 2012.
- The spyware masquerades as various utility applications, such as file managers and security tools.
- Data collected by KoSpy includes SMS messages, call logs, screenshots, and device location, which is encrypted before transmission.
- The applications were found in both Google Play and third-party stores, but have since been removed.
- The malware can dynamically change its command-and-control server and adapt based on device conditions.
Source: https://www.securityweek.com/north-korean-hackers-distributed-android-spyware-via-google-play/