New North Korean Android spyware slips onto Google Play – BleepingComputer
New SuperBlack ransomware exploits Fortinet auth bypass flawsClickFix attack delivers infostealers, RATs in fake Booking.com emailsMicrosoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flawsCISA: Medusa ransomware hit over 300 critical infrastructure orgsSuspected LockBit ransomware dev extradited to United StatesEnhance your online privacy with this SurfShark VPN dealMicrosoft apologizes for removing VSCode extensions used by millionsNew SuperBlack ransomware exploits Fortinet auth bypass flawsHow to access the Dark Web using the Tor BrowserHow to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11How to use the Windows Registry EditorHow to backup and restore the Windows RegistryHow to start Windows in Safe ModeHow to remove a Trojan, Virus, Worm, or other MalwareHow to show hidden files in Windows 7How to see hidden files in WindowsRemove the Theonlinesearch.com Search RedirectRemove the Smartwebfinder.com Search RedirectHow to remove the PBlock+ adware browser extensionRemove the Toksearches.xyz Search RedirectRemove Security Tool and SecurityTool (Uninstall Guide)How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundoHow to remove Antivirus 2009 (Uninstall Instructions)How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKillerLocky Ransomware Information, Help Guide, and FAQCryptoLocker Ransomware Information Guide and FAQCryptorBit and HowDecrypt Information Guide and FAQCryptoDefense and How_Decrypt Ransomware Information Guide and FAQQualys BrowserCheckSTOPDecrypterAuroraDecrypterFilesLockerDecrypterAdwCleanerComboFixRKillJunkware Removal TooleLearningIT Certification CoursesGear + GadgetsSecurityBest VPNsHow to change IP addressAccess the dark web safelyBest VPN for YouTubeA new Android spyware named ‘KoSpy’ is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps.According to Lookout researchers, the spyware is attributed to the North Korean threat group APT37 (aka ‘ScarCruft’). The campaign has been active since March 2022, with the threat actors actively developing the malware based on newer samples.The spyware campaign primarily targets Korean and English-speaking users by disguising itself as file managers, security tools, and software updaters.The five apps Lookout identified are 휴대폰 관리자 (Phone Manager), File Manager (com.file.exploer), 스마트 관리자 (Smart Manager), 카카오 보안 (Kakao Security), and Software Update Utility.The malicious apps offer at least some of the promised functionality but load the KoSpy spyware in the background.The only exception is Kakao Security, which only displays a fake system window while requesting access to risky permissions. The campaign was attributed to APT37 based on IP addresses previously linked to North Korean operations, domains that facilitated the distribution of Konni malware, and infrastructure that overlaps with APT43, another DPRK-sponsored threat group.Once active on the device, KoSpy retrieves an encrypted configuration file from a Firebase Firestore database to evade detection.Next, it connects to the actual command and control (C2) server and runs checks to ensure it’s not running in an emulator. The malware can retrieve updated settings from the C2, additional payloads to execute, and be activated/deactivated dynamically via an “on/off” switch.KoSpy’s data collection capabilities are:Each app uses a separate Firebase project and C2 server for the data exfiltration, which is encrypted with a hardcoded AES key prior to transmission.Although the spyware apps have now been removed from both Google Play and APKPure, users will need to manually uninstall them and scan them with security tools to uproot any remnants of the infection from their devices. In critical cases, a factory reset is recommended.Google Play Protect is also able to block known malicious apps, so enabling it on up-to-date Android devices can help protect against KoSpy.A Google spokesperson confirmed to BleepingComputer that all the KoSpy apps identified by Lookout have been removed from Google Play and that the corresponding Firebase projects have also been taken down.”The use of regional language suggests this was intended as targeted malware. Before any user installations, the latest malware sample discovered in March 2024 was removed from Google Play,” Google told BleepingComputer.”Google Play Protect automatically protects Android users from known versions of this malware on devices with Google Play Services, even when apps come from sources outside of Play.”Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.Serbian police used Cellebrite zero-day hack to unlock Android phonesSpyLend Android malware downloaded 100,000 times from Google PlayGoogle blocked 2.36 million risky Android apps from Play Store in 2024BadBox malware disrupted on 500K infected Android devicesGoogle expands Android AI scam detection to more Pixel devicesNot a member yet? Register NowMicrosoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flawsMicrosoft apologizes for removing VSCode extensions used by millionsMicrosoft replacing Remote Desktop app with Windows App in MayQilin Ransomware: Uncovering the TTPs Behind One of Today’s Most Active ThreatsOverdue a password health-check? Audit your Active Directory for freeTMPN Skuld Stealer: Malware wreaking havoc on open sourceThe vCISO Academy: Transforming MSPs and MSSPs into Cybersecurity PowerhousesAre you preventing browser-based data leaks? Learn how to stop these new threatsTerms of Use – Privacy Policy – Ethics Statement – Affiliate DisclosureCopyright @ 2003 – 2025 Bleeping Computer® LLC – All Rights ReservedNot a member yet? Register NowRead our posting guidelinese to learn what content is prohibited.
