Lookout researchers discovered traces of a spyware virus on the Google Play Store. Dubbed KoSpy, the malware hid in the code of five Android apps. The malware then managed to make an incursion into a popular third-party app store, APKPure.
Screenshots, photos, passwords... KoSpy can steal a smartphone
Once installed on its victim's smartphone, KoSpy will download an encrypted configuration file from a remote server. This configuration file will allow the malicious payload to be installed without arousing suspicion from Play Protect.
It will then intercept all text messages sent and received by the phone, track all the device's movements, steal files, record everything around you with the microphone, take photos, record videos, take screenshots, and monitor everything typed on the touchscreen keyboard. In this way, it will be able to get its hands on sensitive information, such as logins and passwords. This is why Lookout considers the virus as "a new surveillance tool." In short, it's a real disaster for your privacy or your bank account.
The five apps infected by KoSpy
That's why we recommend that you uninstall all apps infected by KoSpy from your smartphone, namely Phone Manager, File Manager, Smart Manager, Kakao Security, and Software Update Utility. The malicious apps are disguised as classic utility apps, such as file managers. To avoid alerting the user, the apps offer some of the features promised in their descriptions. This is not the case with the Kakao Security app, which "has no functionality" useful and displays a fake system window and requests several permissions.". In addition, spying functions can be temporarily disabled if the virus thinks it has been discovered.
Alerted by Lookout, Google has removed all infected applications from its Play Store. Questioned by Bleeping Computer, the American group affirms that "the last malware sample discovered in March 2024 has been removed from Google Play". Now, "Google Play Protect automatically protects Android users from known versions of this malware on devices with Google Play Services, even when the apps come from sources outside of Play.".
APKPure has also banned all apps hiding KoSpy. If you realize that a malicious app is, or has been, installed on your smartphone, take the time to scan your entire device with an antivirus. As a precaution, you may want to factory reset your phone. In case of infection, deleting the app is not enough.
A cyberattack from North Korea
The KoSpy-based campaign has been active since early 2022. It primarily targets English- and Korean-speaking users. Researchers attribute the KoSpy operation to a North Korean hacking gang, calling itself ScarCruft. The cybercriminals are financially supported by the North Korean state.
Active since 2012, it primarily targets individuals and organizations in South Korea. In recent years, the gang has also made a name for itself by hacking Russian, Chinese, and Japanese entities. It notably targeted a Russian ballistic missile manufacturer.
Source: Lookout
0 Comments