The North Korea-linked risk actor known as ScarCruft is said to have been behind a never-before-seen Android security application named KoSpy targeting Asian and English-speaking people.
Alert, which shared details of the malware plan, said the earliest versions date back to March 2022. The most recent tests were flagged in March 2024. It’s no clear how powerful these efforts were.
” KoSpy can collect extensive information, such as SMS messages, call reports, location, data, audio, and pictures via dynamically loaded addons”, the company in an examination.
The harmful objects masquerade as energy programs on the standard Google Play Store, using the labels File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security to trap unsuspecting users into infecting their own devices.
All the identified applications offer the promised efficiency to avoid raising fear while cautiously deploying spyware-related parts in the background. The programs have since been removed from the software market.
ScarCruft, also called APT27 and Harvester, is a North Korean state-sponsored computer spying party engaged since 2012. Attack stores orchestrated by the team mostly leverage as a means to produce sensitive information from Windows systems. has since been adapted to pin os and Android.
The malicious Android apps, once installed, are engineered to contact a Firebase Firestore cloud database to retrieve a configuration containing the actual command-and-control ( C2 ) server address.
By using a reputable company like Firestore as dead fall resolver, the two-stage C2 approach offers both flexibility and resiliency, allowing the threat actor to change the C2 address at any time and work undetected.
” After retrieving the C2 address, KoSpy ensures the device is not an emulator and that the current date is past the hardcoded activation date”, Lookout said. ” This activation date check ensures that the spyware does not reveal its malicious intent prematurely”.
KoSpy is capable of downloading additional plugins as well as configurations in order to meet its surveillance objectives. The exact nature of the plugin remains unknown as the C2 servers are either no longer active or not responding to client requests.
The malware is designed to collect a wide range of data from the compromised device, including SMS messages, call logs, device location, files in local storage, screenshots, keystrokes, Wi-Fi network information, and the list of installed applications. It’s also equipped to record audio and take photos.
Lookout said it identified infrastructure overlaps between the KoSpy campaign and those previously linked to another North Korean hacking group called Kimsuky (aka APT43 ).
Contagious Interview Manifests as npm Packages
The disclosure comes as Socket discovered a set of six npm packages that are designed to deploy a known information-stealing malware called Beaver Tail, which is linked to an ongoing North Korean campaign as . The list of now-removed packages is below-
- is-buffer-validator
- yoojae-validator
- event-handle-package
- array-empty-validator
- react-event-dependency
- auth-validator
The packages are designed to collect system environment details, as well as credentials stored in web browsers such as Google Chrome, Brave, and Mozilla Firefox. It also targets cryptocurrency wallets, extracting id. json from Solana and exodus. wallet from Exodus.
” The six new packages – collectively downloaded over 330 times – closely mimic the names of widely trusted libraries, employing a well-known typosquatting tactic used by Lazarus-linked threat actors to deceive developers”, Socket researcher Kirill Boychenko .
” Additionally, the APT group created and maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy and increasing the likelihood of the harmful code being integrated into developer workflows”.
North Korean Campaign Uses RustDoor and Koi Stealer
The findings also follow the discovery of a new campaign that has been found targeting the cryptocurrency sector with a Rust-based macOS malware called (aka ) and a previously undocumented macOS variant of a malware family known as .
Palo Alto Networks Unit 42 said the characteristics of the attackers bear similarities to Contagious Interview, and that it’s assessing with medium confidence that the activity was carried out on behalf of the North Korean regime.
Specifically, the attack chain involves the use of a fake job interview project that, when executed via Microsoft Visual Studio, attempts to download and execute RustDoor. The malware then proceeds to steal passwords from the LastPass Google Chrome extension, exfiltrate data to an external server, and download two additional bash scripts for opening a reverse shell.
The final stage of the infection entails the retrieval and execution of another payload, a macOS version of Koi Stealer that impersonates Visual Studio to trick victims into entering their system password, thereby allowing it to gather and exfiltrate data from the machine.
” This campaign highlights the risks organizations worldwide face from elaborate social engineering attacks designed to infiltrate networks and steal sensitive data and cryptocurrencies”, security researchers Adva Gabay and Daniel Frank . ” These risks are magnified when the perpetrator is a nation-state threat actor, compared to a purely financially motivated cybercriminal”.