Android apps laced with North Korean spyware found in Google Play – Ars Technica
Google’s Firebase platform also hosted configuration settings used by the apps.
Researchers have discovered multiple Android apps, some that were available in Google Play after passing the company’s security vetting, that surreptitiously uploaded sensitive user information to spies working for the North Korean government.Samples of the malware—named KoSpy by Lookout, the security firm that discovered it—masquerade as utility apps for managing files, app or OS updates, and device security. Behind the interfaces, the apps can collect a variety of information including SMS messages, call logs, location, files, nearby audio, and screenshots and send them to servers controlled by North Korean intelligence personnel. The apps target English language and Korean language speakers and have been available in at least two Android app marketplaces, including Google Play.The surveillanceware masquerades as the following five different apps:Besides Play, the apps have also been available in the third-party Apkpure market. The following image shows how one such app appeared in Play.
Credit:
Lookout
The image shows that the developer email address was mlyqwl@gmail[.]com and the privacy policy page for the app was located at https://goldensnakeblog.blogspot[.]com/2023/02/privacy-policy.html.“I value your trust in providing us your Personal Information, thus we are striving to use commercially acceptable means of protecting it,” the page states. “But remember that no method of transmission over the internet, or method of electronic storage is 100% secure and reliable, and I cannot guarantee its absolute security.”The page, which remained available at the time this post went live on Ars, has no reports of malice on Virus Total. By contrast, IP addresses hosting the command-and-control servers have previously hosted at least three domains that have been known since at least 2019 to host infrastructure used in North Korean spy operations.Even when not hosted in Play, the apps relied on a two-stage command-and-control infrastructure that retrieved configuration settings from a database hosted on Firebase, a web application developer platform provided by Google. Google has since removed both apps and the configuration database from its infrastructure.In a post published Wednesday, Lookout researcher Alemdar Islamoglu wrote:KoSpy can collect an extensive amount of sensitive information on the victim devices with the help of the dynamically loaded plugins. These capabilities include:The collected data is sent to the C2 servers after getting encrypted with a hardcoded AES key. Lookout researchers observed five different Firebase projects and five different C2 servers during the analysis of the available KoSpy samples which can be seen in the indicators of compromise section.A Google representative didn’t respond to emails asking precisely how many of the KoSpy apps were hosted in Play and over what time span. The representative also said that the most recent app sample was removed from Play before it received any downloads but didn’t reply to a request seeking data on other samples. The representative went on to note that Google Play Protect can detect some malicious apps installed on Android devices “even when apps come from sources outside of Play.”Lookout said it has medium confidence that North Korean spy groups tracked under the names APT37 (ScarCruft) and APT43 (Kimsuki) were behind the malicious apps.Android users should give careful thought to any app before installing it. Many apps provide no meaningful benefit at all, as was the case with the apps detected by Lookout. In other cases, a normal mobile browser can perform the same tasks. Anyone concerned the apps may have been installed on a device they’re responsible for should check the above-mentioned indicators of compromise, provided at the bottom of Wednesday’s post.Ars Technica has been separating the signal from
the noise for over 25 years. With our unique combination of
technical savvy and wide-ranging interest in the technological arts
and sciences, Ars is the trusted source in a sea of information. After
all, you don’t need to know everything, only what’s important.
