The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users.
Lookout, which shared details of the malware campaign, said the earliest versions date back to March 2022. The most recent samples were flagged in March 2024. It’s not clear how successful these efforts were.
“KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins,” the company said in an analysis.
The malicious artifacts masquerade as utility applications on the official Google Play Store, using the names File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security to trick unsuspecting users into infecting their own devices.
All the identified apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the background. The apps have since been removed from the app marketplace.
ScarCruft, also called APT27 and Reaper, is a North Korean state-sponsored cyber espionage group active since 2012. Attack chains orchestrated by the group primarily leverage RokRAT as a means to harvest sensitive data from Windows systems. RokRAT has since been adapted to target macOS and Android.
The malicious Android apps, once installed, are engineered to contact a Firebase Firestore cloud database to retrieve a configuration containing the actual command-and-control (C2) server address.
By using a legitimate service like Firestore as dead drop resolver, the two-stage C2 approach offers both flexibility and resiliency, allowing the threat actor to change the C2 address at any time and operate undetected.
“After retrieving the C2 address, KoSpy ensures the device is not an emulator and that the current date is past the hardcoded activation date,” Lookout said. “This activation date check ensures that the spyware does not reveal its malicious intent prematurely.”
KoSpy is capable of downloading additional plugins as well as configurations in order to meet its surveillance objectives. The exact nature of the plugin remains unknown as the C2 servers are either no longer active or not responding to client requests.
The malware is designed to collect a wide range of data from the compromised device, including SMS messages, call logs, device location, files in local storage, screenshots, keystrokes, Wi-Fi network information, and the list of installed applications. It’s also equipped to record audio and take photos.
Lookout said it identified infrastructure overlaps between the KoSpy campaign and those previously linked to another North Korean hacking group called Kimsuky (aka APT43).
In a statement shared with The Hacker News, Google said: “The use of regional language suggests this was intended as targeted malware. Before any user installations, the latest malware sample discovered in March 2024 was removed from Google Play. Google Play Protect automatically protects Android users from known versions of this malware on devices with Google Play Services, even when apps come from sources outside of Play.”
Contagious Interview Manifests as npm Packages
The disclosure comes as Socket discovered a set of six npm packages that are designed to deploy a known information-stealing malware called BeaverTail, which is linked to an ongoing North Korean campaign tracked as Contagious Interview. The list of now-removed packages is below –
- is-buffer-validator
- yoojae-validator
- event-handle-package
- array-empty-validator
- react-event-dependency
- auth-validator
The packages are designed to collect system environment details, as well as credentials stored in web browsers such as Google Chrome, Brave, and Mozilla Firefox. It also targets cryptocurrency wallets, extracting id.json from Solana and exodus.wallet from Exodus.
“The six new packages – collectively downloaded over 330 times – closely mimic the names of widely trusted libraries, employing a well-known typosquatting tactic used by Lazarus-linked threat actors to deceive developers,” Socket researcher Kirill Boychenko said.
“Additionally, the APT group created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows.”
North Korean Campaign Uses RustDoor and Koi Stealer
The findings also follow the discovery of a new campaign that has been found targeting the cryptocurrency sector with a Rust-based macOS malware called RustDoor (aka ThiefBucket) and a previously undocumented macOS variant of a malware family known as Koi Stealer.
Palo Alto Networks Unit 42 said the characteristics of the attackers bear similarities to Contagious Interview, and that it’s assessing with medium confidence that the activity was carried out on behalf of the North Korean regime.
Specifically, the attack chain involves the use of a fake job interview project that, when executed via Microsoft Visual Studio, attempts to download and execute RustDoor. The malware then proceeds to steal passwords from the LastPass Google Chrome extension, exfiltrate data to an external server, and download two additional bash scripts for opening a reverse shell.
The final stage of the infection entails the retrieval and execution of another payload, a macOS version of Koi Stealer that impersonates Visual Studio to trick victims into entering their system password, thereby allowing it to gather and exfiltrate data from the machine.
“This campaign highlights the risks organizations worldwide face from elaborate social engineering attacks designed to infiltrate networks and steal sensitive data and cryptocurrencies,” security researchers Adva Gabay and Daniel Frank said. “These risks are magnified when the perpetrator is a nation-state threat actor, compared to a purely financially motivated cybercriminal.”
