A group of hackers linked to the North Korean government successfully uploaded Android spyware to the Google Play Store, tricking unsuspecting users into downloading it, according to cybersecurity firm Lookout.
In a newly published report, shared exclusively with TechCrunch before its official release, Lookout detailed an espionage operation involving multiple versions of an Android spyware it has named KoSpy. The cybersecurity firm attributes this campaign with “high confidence” to North Korea’s government-backed hacking groups.
Spyware Found on Google Play Store
At least one of the KoSpy spyware apps was available for download on Google Play and had been installed more than 10 times before it was taken down. Lookout included a cached screenshot of the app’s Play Store listing in its report.
North Korean hacking groups have made headlines in recent years for large-scale cryptocurrency thefts—such as the recent $1.4 billion heist from crypto exchange Bybit, allegedly funding the nation’s prohibited nuclear weapons program. However, the latest spyware campaign appears to be focused on targeted surveillance rather than financial crimes. It also doesn’t help if you consider the fact that Americans lost $12.5 billion to scammers in 2024.
How KoSpy Operates
The specific objectives of this spyware campaign remain unclear. However, Christoph Hebeisen, Lookout’s director of security intelligence research, said that the limited number of downloads suggests it was used in a targeted attack rather than a mass surveillance effort.
Lookout’s analysis found that KoSpy collects an extensive range of sensitive data, including:
- SMS messages and call logs
- GPS location data
- Files and folders on the device
- Keystrokes entered by the user
- Wi-Fi network details
- List of installed applications
Beyond data collection, KoSpy has additional invasive capabilities. It can:
- Record audio
- Take photos using the device’s camera
- Capture screenshots of user activity
Lookout’s investigation also found that KoSpy used Firestore, a cloud database built on Google Cloud infrastructure, to retrieve its initial configurations—an unusual move that further illustrates the hackers’ advanced tactics.
Google’s Response
Following Lookout’s findings, Google swiftly removed the identified spyware apps from the Play Store and deactivated associated Firebase projects.
“Google Play automatically protects users from known versions of this malware on Android devices with Google Play Services,” said Google spokesperson Ed Fernandez.
However, Google declined to answer specific questions about Lookout’s report, including whether it agrees with the attribution to the North Korean regime.
KoSpy Also Found on APKPure
In addition to its presence on Google Play, Lookout discovered that KoSpy was also being distributed on APKPure, a third-party Android app store. However, an APKPure spokesperson stated that the company had not received any communication from Lookout regarding the discovery.
Attempts to contact the email address linked to the Google Play page hosting the spyware app went unanswered.
Targeting South Korean Users
While Lookout was unable to determine the specific individuals or groups targeted, the researchers believe the spyware campaign was aimed at South Korean users who speak English or Korean.
Their assessment is based on:
- The app names, some of which were in Korean
- The app interfaces, which supported both English and Korean
- The use of domain names and IP addresses previously associated with North Korean hacking groups APT37 and APT43
North Korean Hackers’ Persistent Threat
One of the most striking aspects of this attack is North Korea’s repeated success in getting malicious apps approved and published in official app stores.
“The thing that is fascinating about North Korean threat actors is that they are, it seems, somewhat frequently successful in getting apps into official app stores,” said Lookout’s Hebeisen.
This latest campaign highlights the ongoing risk of sophisticated cyber-espionage operations and the need for stronger vetting processes in app stores to protect users from state-sponsored cyber threats.
For more cybersecurity news, click here.
