A group of hackers linked to the North Korean government managed to upload spyware onto the Google Play Store, which led users to download malicious applications, as per a Lookout cybersecurity report.
The espionage campaign discovered KoSpy spyware after more than 10 users downloaded it before its removal. Lookout confirms with high certainty that North Korean hacking groups operated the malware because the spyware targeted surveillance instead of financial theft.
The advanced Android spyware KoSpy extracts multiple sensitive user data types, including SMS messages, call logs, location data, installed apps, and keystroke entries. The spyware solution enables users to record audio while taking pictures and capturing screenshots and tracks Wi-Fi network information. The spyware used Google Cloud’s Firestore to obtain initial configuration data, which improved its ability to avoid detection.
Google took action to remove all spyware apps from its Play Store platform and deactivated the associated Firebase projects. The Google spokesperson confirmed that Play Protect operates automatically to protect users from known malware versions. Google did not give a statement about its position on Lookout’s conclusion that North Korea was responsible.
The incident demonstrated North Korean hacking groups APT37 and APT43 continue to successfully penetrate official app stores. The campaign’s main targets were South Korean speakers of English or Korean, according to Lookout researchers, based on the app names and language configurations.
Security concerns grew more serious because the spyware was found on the third-party app store APKPure. Research from Lookout indicates this operation was designed to collect intelligence about specific individuals in line with North Korea’s history of cyber espionage activities.
The security breach demonstrates how state-sponsored hacking continues to evolve while highlighting the necessity for enhanced security protocols in app stores.
