North Korean hackers have infiltrated the Google Play app store, uploading spyware masquerading as utility apps.
According to a report from cyber-security firm Lookout, the spyware known as KoSpy has been propagated by the APT37 hacking group, which is thought to be backed by the North Korean state. The group, believed to have been created in 2012, has previously been involved in attacks on various financial institutions, primarily in South Korea although they have actively been targeting other countries in recent years.
The report found that the spyware was first observed in March 2022 and remains active, with new samples still publicly hosted.
KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio and screenshots via dynamically loaded plug-ins on Android phones. As well as on Google Play, the apps have been found on third-party app stores such as APKPure.
It was observed using fake utility application lures, such as ‘File Manager’, ‘Software Update...