New North Korean Spyware ‘KoSpy’ Infiltrates Android Devices

Published: March 21, 2025

A new Android spyware, known as KoSpy, has been discovered infiltrating Google Play and third-party app stores, posing a significant security risk to users. The malware is attributed to APT37, a North Korean state-sponsored hacking group, and has been active since at least March 2022.

How KoSpy Spreads

KoSpy disguises itself as legitimate utility apps, such as file managers and security tools, to lure unsuspecting users into downloading it. Some of the fake apps include:

휴대폰 관리자 (Phone Manager)
File Manager (com.file.exploer)
스마트 관리자 (Smart Manager)
카카오 보안 (Kakao Security)
Software Update Utility

Fig 1. An example of a KoSpy app on Google Play. Source: Lookout

Once installed, these apps may appear to function normally, but in the background, they secretly deploy KoSpy spyware.

What KoSpy Can Do

After installation, KoSpy retrieves an encrypted configuration file from a Firebase database to avoid detection. It then connects to a remote command and control (C2) server, which allows the hackers to activate or deactivate the malware remotely.

The spyware is designed to collect a wide range of sensitive data from infected devices, including:

Text messages and call logs
GPS location tracking in real time
Access to local files and folders
Microphone recordings
Camera access for photos and videos
Screenshots of user activity
Keystroke recording through Android Accessibility Services

Fig 2. Interface of one of KoSpy’s Apps. Source: Lookout

The stolen data is encrypted and transmitted to C2 servers, ensuring that victims remain unaware of the ongoing surveillance.

Connection to North Korean Hackers

Cybersecurity researchers have linked KoSpy to APT37 (ScarCruft), a group known for cyber espionage targeting South Korea and other nations. The spyware campaign shares infrastructure with APT43, another North Korean hacking group, making attribution more complex.

Some of the C2 servers used in the KoSpy campaign are still active, though researchers have noted that many are now unresponsive. The malware’s ability to receive updates dynamically makes it particularly resilient.

Google’s Response and User Protection Tips

All identified KoSpy-infected apps have now been removed from Google Play and APKPure. Google has also taken down associated Firebase projects to disrupt the malware’s communication channels.

However, users who have already installed these apps must manually uninstall them and scan their devices with security tools to remove any remaining threats. In some cases, a factory reset may be the safest option.

To protect against similar threats in the future:

Enable Google Play Protect to block known malware.
Download apps only from trusted developers on Google Play.
Avoid granting unnecessary permissions to apps.
Regularly update your Android device for the latest security patches.
Use a trusted anti-spyware app such as Certo

KoSpy serves as a reminder of the growing sophistication of mobile spyware campaigns. While Google has responded swiftly, users must remain vigilant to avoid falling victim to malicious apps.