Android Apps Laced with North Korean Spyware Found in Google Play

Researchers Uncover Android Apps with Ties to North Korean Government

Researchers have discovered multiple Android apps, some of which were available in Google Play after passing the company’s security vetting, that surreptitiously uploaded sensitive user information to spies working for the North Korean government.

The Malware: KoSpy

Samples of the malware—named KoSpy by Lookout, the security firm that discovered it—masquerade as utility apps for managing files, app or OS updates, and device security. Behind the interfaces, the apps can collect a variety of information including SMS messages, call logs, location, files, nearby audio, and screenshots and send them to servers controlled by North Korean intelligence personnel.

Targeting Specific Languages

The apps target English language and Korean language speakers and have been available in at least two Android app marketplaces, including Google Play.

Think Twice Before Installing

The surveillanceware masquerades as the following five different apps:

• 휴대폰 관리자 (Phone Manager)
• File Manager
• 스마트 관리자 (Smart Manager)
• 카카오 보안 (Kakao Security)
• Software Update Utility

Availability in Additional Marketplaces

Besides Play, the apps have also been available in the third-party Apkpure market.

Evidence of North Korean Ties

The following image shows how one such app appeared in Play.

The image shows that the developer email address was mlyqwl@gmail.com and the privacy policy page for the app was located at https://goldensnakeblog.blogspot.com/2023/02/privacy-policy.html.

Inconsistent Security Measures

“I value your trust in providing us your Personal Information, thus we are striving to use commercially acceptable means of protecting it,” the page states. “But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and I cannot guarantee its absolute security.”

Conclusion

It is crucial for users to be vigilant and thoroughly research any app before installing it, especially if it seems too good to be true or is from an unknown developer. The discovery of these apps highlights the need for continued vigilance in the face of evolving cyber threats.

FAQs

Q: How did the apps manage to pass Google Play’s security vetting?

A: The exact process is unclear, but it is possible that the apps were able to evade detection by using sophisticated techniques to hide their malicious capabilities.

Q: What information did the apps collect?

A: The apps collected a variety of information, including SMS messages, call logs, location, files, nearby audio, and screenshots.

Q: How many apps were discovered?

A: Multiple apps were discovered, but the exact number is unclear.

Q: Can I get my data back?

A: It is unclear whether it is possible to retrieve the data collected by the apps, but users are advised to change their passwords and keep a close eye on their accounts to prevent further exploitation.