North Korean-Linked Hackers Upload Android Spyware to Google Play, Targeting Users

A North Korean-linked hacking group successfully uploaded Android spyware to the Google Play app store, tricking users into downloading it, according to cybersecurity firm Lookout. In a report published on Wednesday and shared exclusively with TechCrunch, Lookout detailed an espionage campaign involving multiple samples of Android spyware, dubbed KoSpy, which the firm attributes with "high confidence" to the North Korean government.

At least one of the malicious apps was available on Google Play and downloaded more than 10 times, as evidenced by a cached snapshot of its app store page included in Lookout’s report. While North Korean hackers are often associated with high-profile cryptocurrency heists—such as the recent theft of $1.4 billion in Ethereum from crypto exchange Bybit—this campaign appears focused on surveillance. The spyware’s functionality suggests it was designed to monitor and gather sensitive information from targeted devices.

KoSpy relied on Firestore, a cloud database built on Google Cloud infrastructure, to retrieve initial configurations. Google spokesperson Ed Fernandez confirmed that Lookout shared its findings with the company, leading to the removal of all identified apps from Google Play and the deactivation of associated Firebase projects. Fernandez stated, “Google Play automatically protects users from known versions of this malware on Android devices with Google Play Services.” However, Google did not comment on specific details of the report, including whether it agreed with Lookout’s attribution to North Korea.

The spyware apps were also found on the third-party app store APKPure, though an APKPure spokesperson claimed they did not receive any communication from Lookout. Attempts by TechCrunch to contact the developer associated with the malicious app on Google Play were unsuccessful.

Lookout researchers Kristin Hebeisen and Alemdar Islamoglu noted that while the specific targets of the campaign remain unclear, the operation was likely highly targeted, focusing on individuals in South Korea who speak English or Korean. This assessment is based on the apps’ Korean-language titles, user interfaces, and domain names and IP addresses linked to known North Korean hacking groups APT37 and APT43.

Hebeisen highlighted the concerning trend of North Korean threat actors frequently managing to infiltrate official app stores, emphasizing their persistence and adaptability. This incident underscores the ongoing challenges in securing app ecosystems and the evolving tactics of state-sponsored hacking groups.