A new malware has been identified infecting Android devices through fraudulent applications on the Google Play Store and third-party stores. KoSpy, a spyware developed by hackers linked to the North Korean government, with advanced capabilities to steal user information without detection.
This spyware has raised concerns in the cybersecurity community, as it manages to infiltrate victims' devices through seemingly harmless applications. Here's how it works, what information it steals, and what you can do to protect yourself.
What is KoSpy and how does it infect Android devices?
Researchers at Lookout have discovered that KoSpy It hides in fake apps that appear to be legitimate file management or security programs. These apps were even available on the official Google Play Store, demonstrating that they managed to evade Google's security filters.
Once downloaded and installed, these apps activate the KoSpy spyware without the user noticing. While some of these apps had basic functionality that made them appear legitimate, their real purpose was to collect sensitive information from the device and send it to servers in North Korea. Therefore, it is vital protect your device from malware.
Popular Apps with KoSpy
The following apps have been identified as carrying the spyware:
- 휴대폰 관리자 (Phone Manager)
- File Manager
- 스마트 관리자 (Smart Manager)
- Kakao Security
- Software Update Utility
If you have ever downloaded any of these applications, it is recommended that you delete them immediately and perform a security scan on your device, as well as check How to remove the green dot on Samsung phones, in case any of these applications have left a trace.
What information does KoSpy steal?
This spyware is highly sophisticated and can obtain a large amount of data from the infected device. Its capabilities include:
- Interception of SMS messages and call logs.
- GPS location to track the user's location in real time.
- File access and folders stored on the phone.
- Audio recording and taking photographs without consent.
- Screenshot and real-time recording of user activity.
- Keystroke logging to steal login credentials.
- List installed applications and get details of the Wi-Fi networks used.
All of this data is sent to command and control servers operated by hackers affiliated with the North Korean government.
How this malware can evade detection
One of the most advanced features of KoSpy is its ability to remain hiddenTo do this, it employs multiple evasion techniques:
"]
- Using Firebase Firestore to receive settings and activate certain functions remotely.
- Wait for a specific date before being activated, avoiding detection in initial security scans.
- Check if it is being executed in an analysis environment as an emulator, and in that case, automatically disable itself.
- Dynamically change your command and control servers to evade blocking.
Thanks to these strategies, spyware can operate for long periods without being detected. This highlights the importance of following appropriate security measures and staying abreast of cybersecurity-related news, such as those found in The controversial EU plan to scan WhatsApp.
KoSpy's relationship with North Korea
The hacker group responsible for KoSpy is linked to ScarCruft (APT37), a North Korean state-sponsored cyberespionage organization. This infrastructure has also been found to have been used by other groups such as APT43 (Kimsuky), suggesting cooperation in the development and deployment of spy tools.
ScarCruft has been active since 2012 and has been attributed to multiple attacks primarily targeting South Korea, although victims have also been found in countries such as Japan, India, Russia and Middle Eastern nations. These types of cyberattacks put many users at risk who may not be aware of how how can they hack your mobile.
How to protect yourself from this and other spyware
To avoid falling victim to these types of threats, cybersecurity experts recommend following these preventive measures:
- Download apps only from trusted sources, avoiding third-party stores like APKPure.
- check permissions that an app asks for before installing it. If it asks for access to unnecessary features, it's best not to install it.
- Regularly update the operating system and applications to close possible vulnerabilities.
- Use a trusted antivirus on the mobile device to detect threats.
- Immediately uninstall any suspicious applications and perform a security analysis.
If you suspect your device may be infected, it's recommended to perform a factory reset to remove any malware.
KoSpy is a clear example of how malware is constantly evolving and can even sneak into official stores like Google Play. Stay informed and apply good cybersecurity practices remains the best defense against these threats. Share this guide and learn how to protect your Android devices from malware..