ScarCruft, a North Korean state-sponsored cyber espionage group, is behind a new Android malware called KoSpy, targeting Korean and English-speaking users. Identified by Lookout, this malware can gather comprehensive data, including SMS messages and location information, through seemingly innocuous utility apps on the Google Play Store. First detected in March 2022, these apps have since been removed. KoSpy uses a complex command-and-control system allowing it to operate stealthily, making it a significant threat to user privacy.
KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins.
The malicious Android apps, once installed, are engineered to contact a Firebase Firestore cloud database to retrieve a configuration containing the actual command-and-control (C2) server address.
Collection
[
|
...
]