A group of hackers linked to the North Korean regime has uploaded spyware for Android to the Google Play store. The hackers were able to trick some users into downloading it, TechCrunch reports.
Cybersecurity firm Lookout has published a report detailing a campaign using Android spyware dubbed KoSpy, which Lookout confidently attributes to the North Korean government.
One of these apps was available on Google Play and downloaded over 10 times. KoSpy collects a lot of sensitive information, including SMS messages, call logs, files on the device, passwords, and Wi-Fi network data. In addition, the software can record audio, take photos, and screenshots.
Lookout reports that KoSpy uses Firestore to load settings from a cloud database on Google Cloud infrastructure. Google later removed all detected apps from the store and deactivated Firebase projects, including KoSpy. A Google spokesperson noted that Google Play automatically protects users from known versions of this malware.
Lookout also detected spyware apps on the third-party store APKPure, although APKPure representatives said they had not received any notifications from Lookout. According to Lookout, the campaign was targeted at specific individuals, likely residents of South Korea who spoke English or Korean.
Lookout's analysis found that some of the apps use domain names and IP addresses previously associated with the infrastructure of the APT37 and APT43 hacking groups, which have ties to the North Korean government.