March 15, 2025, 9:14 am | Read time: 3 minutes
A North Korean hacker group has managed to infect numerous smartphones with extremely dangerous malware. From local files to personal video recordings, nothing remains hidden from the espionage tool.
Security researchers at “Lookout” have uncovered several apps tainted with the North Korean spyware “KoSpy.” This malware can effortlessly spy on smartphone users, and its sophisticated code makes it challenging to detect. TECHBOOK explains the details.
Spyware from North Korea
In its report, “Lookout” attributes the development and distribution of “KoSpy” to the well-known North Korean hacker group APT37. The security experts at Lookout believe that APT37 leverages infrastructure belonging to “Kimsuky,” another North Korean hacker collective also referred to as APT43. The affected apps lure users in as supposed utilities and are often functional to a limited extent.
“KoSpy” Hidden in Service Apps
The File Manager app provides access to smartphone storage, while the Update Utility software triggers the software update feature within Android settings. Kakao Security pretends to be an app from the South Korean Internet conglomerate Kakao Corporation. The app is not functional and instead only shows an interface with security and optimization options for the smartphone. However, these cannot be used as the app proceeds to gain access rights to things such as SMS, background activities, and SD cards.
English and Korean-speaking users are the main focus of the “KoSpy” attacks. The apps discovered are available in both languages. Some of them could be found in the Google Play Store itself and in the “Apkpure” app database. All apps have since been removed from the respective platforms. However, users who have already downloaded these apps must now uninstall them manually:
- File Manager (com.file.exploer)
- Software Update Utility
- 휴대폰 관리자 (Phone Manager)
- 스마트 관리자 (Smart Manager)
- 카카오 보안 (Kakao Security)
Install Without Fail! Important Update Available for Several Samsung Smartphones
More Than 300 Apps Affected Contaminated by Viruses! You Should Delete These Apps Immediately
Overview Google Update Brings Practical Functions for Android Smartphones
What Makes “KoSpy” So Dangerous
Although the infected apps may seem legitimate at first glance, “KoSpy” operates covertly in the background. The spyware receives an encrypted configuration from the Cloud Firestore of the Firebase database. This allows the attackers to determine whether “KoSpy” should switch itself on or off and which server address should be used for further communication.
If the so-called command-and-control server (C2) is discovered or blocked, it is easy to switch to another C2. In a further step, “KoSpy” makes sure that it is actually installed on a smartphone and checks the date. This strategy allows the spyware to conceal its true purpose for an extended period.
If “KoSpy” is activated, it receives further plug-ins and configurations from the C2 server to carry out the monitoring function. “Lookout” has discovered several plug-ins capable of accessing SMS messages, call logs, device locations, local files, and keystrokes, among other data. “KoSpy” is even capable of independently recording videos and photos, as well as taking screenshots and screen recordings.