Image by Azamat E, from Unsplash
North Korean Spyware KoSpy Targets Android Users Via Fake Apps
Reading time: 2 min
Posted on Mar 13, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Researchers from cybersecurity firm Lookout have uncovered a new Android spyware, KoSpy, attributed to the North Korean hacking group APT37, also known as ScarCruft.
In a Rush? Here are the Quick Facts!
- The malware steals SMS, call logs, location, audio, files, and screenshots.
- KoSpy apps were on Google Play but have been removed by Google.
- The spyware communicates via Firebase and a two-stage Command and Control system.
The malware, first spotted in March 2022, remains active and has been embedded in fake utility apps like “File Manager,” “Software Update Utility,” and “Kakao Security.” These apps, previously available on Google Play and third-party stores such as Apkpure, were designed to target Korean and English-speaking users.
KoSpy collects a wide range of sensitive information, including text messages, call logs, location data, files, audio recordings, and screenshots.
The spyware operates using a two-stage command-and-control (C2) system, first retrieving configurations from a Firebase cloud database before establishing communication with remote servers. This setup allows the attackers to change servers or disable the malware as needed.
Google has removed all known malicious apps from its Play Store. A spokesperson stated, “Google Play Protect automatically protects Android users from known versions of this malware on devices with Google Play Services, even when apps come from sources outside of Play,” as reported by The Record.
KoSpy also shares infrastructure with another North Korean state-backed hacking group, APT43, known for spearphishing campaigns that deploy malware to steal sensitive data. This overlap in infrastructure makes precise attribution difficult, but Lookout researchers link KoSpy to APT37 with medium confidence.
ScarCruft has been conducting cyber-espionage operations since 2012, primarily targeting South Korea but also extending its reach to Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and the Middle East. The group has been linked to attacks on media organizations and high-profile academics, as well as a malware operation in Southeast Asia.
Although KoSpy is no longer available on the Google Play Store, researchers warn that users should remain cautious of suspicious apps, especially those requesting excessive permissions. Keeping devices updated and relying on official app stores with security protections like Google Play Protect can help mitigate risks.
Previous Story
Latest articles 
Leave a Comment
Cancel