Android App Store Infiltrated by North Korean Spyware
According to cybersecurity firm Lookout, a group of hackers tied to the North Korean regime uploaded spyware for Android onto the Google Play app store and tricked some users into downloading it.
Follow the NaijaEyes Blog for more updates on WhatsApp
According to a report made public on Wednesday, Lookout tells about an espionage campaign dealing with different forms of Android spyware that it calls KoSpy. This, according to the company, is “highly confidently” attributed to the North Korean government.
However, the director of security intelligence research in Lookout, Christoph Hebeisen, told TechCrunch that the North Korean info snooper has not yet stated the aim of the spyware campaign, but with just a few downloads, it could be directed towards some particular target.
Lookout said that KoSpy would gather a “huge amount” of sensitive information, which includes: text messages in SMS format, call logs, location information concerning the device, device files stored on device folders, user-entered keystrokes, Wi-Fi network information and a list of installed applications.
KoSpy can also record audio, take pictures from the phone’s cameras, and screenshots of the screen in use.
Lookout also found that KoSpy relied on Firestore, which is a cloud database basically built on Google Cloud infrastructure, for its “initial configurations.”
According to the cache snapshot of the app’s page on the official Android app store, at least one of the spyware apps was at some point on Google Play and downloaded beyond 10 times. Lookout also included a screenshot of the page in the report.
In the last few years, North Korean hackers have grabbed attention for their audacious crackups, such as stealing around $1.4 billion in Ethereum from the recent Bybit crypto exchange, which aims to further the country banned nuclear weapons program.
In this new spyware campaign, however, it is suspected to be more a feature of surveillance on the basis of the functionalities of the spyware apps identified by Lookout.
Ed Fernandez, A Google spokesperson, told TechCrunch, that the report was shared with the company; “all of the identified apps were removed from Play [and] Firebase projects deactivated,” including the KoSpy sample that was on Google Play.
“Google Play automatically protects users from known versions of this malware on Android devices with Google Play Services,” said Fernandez.
Google has not responded to several specific queries relating to the report, including whether Google agrees with the attribution to the North Korean regime, and other details about Lookout’s report.
Also, the report stated that some of the spyware apps were discovered by Lookout on APKPure, a third-party app store.
An APKPure spokesperson went on to clarify that the company has not received “any email” from Lookout.
The person, or persons, controlling the developer’s email address as mentioned on the Google Play page for the spyware app did not reply to TechCrunch’s request for comment.
Lookout’s Hebeisen, along with Alemdar Islamoglu, senior staff security intelligence researcher, stated in an interview with TechCrunch that “Lookout did not have any insight about the targets — who has really been hacked” but it did confirm that “it was a very targeted campaign probably directed at persons based in South Korea who have English or Korean language skills”.
The report states that Lookout’s assessment is based on the names of the apps they have found, some with Korean names, yet some of these apps have titles in the Korean language, and the user interface supports both languages.
Lookout also discovered that the spyware applications were using domains and IP addresses linked back to prior identification of existing malware and command and control infrastructure from North Korean government hacking groups APT37 and APT43.
“The interesting thing about North Korean threat actors-that they seem to be pretty frequently succeeding in getting apps into official app stores,” said Hebeisen.
Naijaeyes Report
Join Our Social Media Channels:
WhatsApp: NaijaEyes
Facebook: NaijaEyes
Twitter: NaijaEyes
Instagram: NaijaEyes
TikTok: NaijaEyes
