According to reports from cybersecurity company Lookout, a group of hackers, likely linked to the North Korean government, managed to infiltrate the Google Play store by placing spyware designed for Android devices. The malicious software, known as Kospy, was discovered in several versions by Lookout and is believed to have strong ties to the North Korean government.
One of the infected applications in the Google Play store had been downloaded over 10 times before being taken down. While North Korean hackers have previously made headlines for cryptocurrency theft, this latest attack appears to be focused on intelligence gathering based on the functionality of the spyware.
Kospy is capable of collecting a wide range of sensitive data including SMS messages, call history, geolocation, files, keystrokes, Wi-Fi information, and more. Additionally, the spyware can record audio, take photos using the device’s camera, and capture screenshots.
Google has taken action to remove all detected malicious applications from Google Play and disable related Firebase projects. Android users with Google Play services are said to be protected from known versions of this spyware. However, Google has not provided further details regarding the involvement of North Korea in the attack.
Not only were infected applications found in the official Google Play store, but Lookout also discovered compromised apps on third-party resources like APKPURA. These malicious applications were linked to the same domains and IP addresses previously associated with hacker groups operating on behalf of the North Korean government.
The identities of the developers behind the spyware remain unknown, and attempts to contact them through the email address listed on Google Play have been unsuccessful. Lookout speculates that the attack was likely targeting English and Korean-speaking users in South Korea based on the languages supported by the infected applications.