New Android Surveillance Tool KoSpy Linked to North Korean APT Group ScarCruft

By /

Listen to this Post

A recently discovered Android surveillance tool, named KoSpy, is reportedly linked to the North Korean-backed threat actor ScarCruft, also known as APT37, Reaper, and Group123. This tool has been used to target both Korean and English-speaking users, expanding the group’s cyber espionage activities to a wider audience. ScarCruft has been active since at least 2012, frequently targeting government, defense, military, and media organizations. The discovery of KoSpy adds a new dimension to the group’s tactics, leveraging a sophisticated Android malware that operates covertly to gather sensitive data from its victims.

the

ScarCruft, a well-known North Korean cyber threat actor, is behind the newly discovered KoSpy spyware targeting Android devices. This surveillance tool was previously undetected until Lookout researchers identified it in early 2024. The malware primarily targets Korean and English-speaking users, using deceptive tactics to infiltrate devices.

KoSpyā€™s Distribution Methods

The spyware is delivered through fake utility applications like Phone Manager, File Manager, Smart Manager, Kakao Security, and Software Update Utility. These apps were distributed through Google Play Store and leveraged Firebase Firestore for configuration management. Though Google has since removed the affected apps and deactivated the associated Firebase projects, the tool’s distribution has been active since March 2022.

Spyware Features and Behavior

Once installed, KoSpy starts collecting sensitive information such as SMS, calls, location, files, audio, and screenshots from the infected device. To avoid detection, it checks if it is running in a virtualized environment and ensures the current date is past a hardcoded activation date. This delay tactic helps the spyware evade analysis during initial deployment.

KoSpy retrieves encrypted configuration data from Firebase Firestore, which provides attackers with control over the command-and-control (C2) server, allowing them to change server addresses or alter the malwareā€™s operation. Communication with C2 servers happens via encrypted JSON requests, enabling attackers to download additional plugins or retrieve surveillance configurations.

Connection to Other North Korean APT Groups

Lookout researchers also discovered connections between KoSpy and other North Korean threat groups, particularly APT43, through shared infrastructure. Notably, one of the C2 domains for KoSpy, st0746[.]net, was linked to IP addresses previously associated with APT37 and APT43, which points to the possibility of this campaign being part of broader cyber-espionage activities. This overlapping infrastructure makes it more challenging to definitively attribute the campaign to one specific group, as North Korean threat actors tend to share tools, techniques, and infrastructure.

What Undercode Says:

The discovery of KoSpy shines a light on the evolving tactics used by North Korean threat actors like ScarCruft. While the group has primarily been known for targeting governmental and military organizations in South Korea, this new tool expands its reach to individual users, indicating a shift in the groupā€™s focus.

By masquerading as legitimate utility apps, KoSpy takes advantage of user trust in common Android applications. This social engineering tactic is powerful because it exploits the familiarity and reliance users have on apps like File Manager and Software Update Utility, making the malicious apps harder to detect.

The use of Firebase Firestore for configuration and communication is another notable feature of KoSpy. Firebase, often associated with app developers, is typically seen as a benign service. However, its usage here for malware communication suggests that threat actors are increasingly leveraging cloud services for stealth and persistence. This also illustrates the growing sophistication of cyber espionage campaigns, where attackers blend into the environment and exploit infrastructure that seems entirely legitimate.

Moreover, the fact that KoSpy uses encrypted communication (AES encryption) for its data transmission indicates that ScarCruft has refined its tools to avoid detection and analysis. The encrypted requests sent to C2 servers make it more challenging for security researchers to dissect the malware and understand its full capabilities.

The connection between KoSpy and other APT groups such as APT43 further complicates attribution. It is well-known that North Korean cyber actors often share infrastructure and tools, making it difficult to pinpoint the exact group behind a specific attack. However, the similarities in infrastructure and tactics strongly suggest that KoSpy is part of a broader, coordinated effort by North Korean state-sponsored hackers to gather sensitive information and conduct cyber espionage against South Korea and beyond.

The attribution to APT37 with medium confidence is significant, as it reinforces the idea that KoSpy is not just an isolated tool but part of a long-standing and ongoing espionage campaign. It also highlights the importance of ongoing vigilance against North Korean threat actors, as they continue to refine their techniques to evade detection and carry out sophisticated cyberattacks.

Fact Checker Results:

  • KoSpy is confirmed to be linked to APT37, a North Korean hacker group, with high confidence based on shared infrastructure and attack patterns.
  • The tool was distributed through Google Play and used Firebase Firestore for configuration management.
  • Security measures like AES encryption and delayed activation were used to avoid detection by security researchers.

References:

Reported By: https://securityaffairs.com/175357/malware/scarcruft-used-a-new-android-spyware-dubbed-kospy.html
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

šŸ’¬ Whatsapp | šŸ’¬ TelegramFeatured Image

Explore More: