SECURITY VETTING? WHAT SECURITY VETTING? Android apps laced with North Korean spyware found in Google Play Google's Firebase platform also hosted configuration settings used by the apps. Dan Goodin Mar 12, 2025 6:03 pm | 1 Credit: Getty Images | Kirill Kudryavtsev Credit: Getty Images | Kirill Kudryavtsev Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreResearchers have discovered multiple Android apps, some that were available in Google Play after passing the companys security vetting, that surreptitiously uploaded sensitive user information to spies working for the North Korean government.Samples of the malwarenamed KoSpy by Lookout, the security firm that discovered itmasquerade as utility apps for managing files, app or OS updates, and device security. Behind the interfaces, the apps can collect a variety of information including SMS messages, call logs, location, files, nearby audio, and screenshots and send them to servers controlled by North Korean intelligence personnel. The apps target English language and Korean language speakers and have been available in at least two Android app marketplaces, including Google Play.Think twice before installingThe surveillanceware masquerades as the following five different apps: (Phone Manager)File Manager (Smart Manager) (Kakao Security) andSoftware Update UtilityBesides Play, the apps have also been available in the third-party Apkpure market. The following image shows how one such app appeared in Play. Credit: Lookout The image shows that the developer email address was mlyqwl@gmail[.]com and the privacy policy page for the app was located at https://goldensnakeblog.blogspot[.]com/2023/02/privacy-policy.html.I value your trust in providing us your Personal Information, thus we are striving to use commercially acceptable means of protecting it, the page states. But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and I cannot guarantee its absolute security.The page, which remained available at the time this post went live on Ars, has no reports of malice on Virus Total. By contrast, IP addresses hosting the command-and-control servers have previously hosted at least three domains that have been known since at least 2019 to host infrastructure used in North Korean spy operations.Even when not hosted in Play, the apps relied on a two-stage command-and-control infrastructure that retrieved configuration settings from a database hosted on Firebase, a Web application developer platform provided by Google. Google has since removed both apps and the configuration database from its infrastructure.In a post published Wednesday, Lookout researcher Alemdar Islamoglu wrote:KoSpy can collect an extensive amount of sensitive information on the victim devices with the help of the dynamically loaded plugins. These capabilities include:Collecting SMS messagesCollecting call logsRetrieving device locationAccessing files and folders on the local storageRecording audio and taking photos with the camerasCapturing screenshots or recording the screen while in useRecording key strokes by abusing accessibility servicesCollecting wifi network detailsCompiling a list of installed applicationsThe collected data is sent to the C2 servers after getting encrypted with a hardcoded AES key. Lookout researchers observed five different Firebase projects and five different C2 servers during the analysis of the available KoSpy samples which can be seen in the indicators of compromise section.A Google representative didnt respond to emails asking precisely how many of the KoSpy apps were hosted in Play and over what time span. The representative also said that the most recent app sample was removed from Play before it received any downloads but didnt reply to a request seeking data on other samples. The representative went on to note that Google Play Protect can detect some malicious apps installed on Android devices even when apps come from sources outside of Play.Lookout said it has medium confidence that North Korean spy groups tracked under the names APT37 (ScarCruft) and APT43 (Kimsuki) were behind the malicious apps.Android users should give careful thought to any app before installing it. Many apps provide no meaningful benefit at all, as was the case with the apps detected by Lookout. In other cases, a normal mobile browser can perform the same tasks. Anyone concerned the apps may have been installed on a device theyre responsible for should check the above-mentioned indicators of compromise, provided at the bottom of Wednesdays post.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 1 Comments