Android users should be careful what they download from the Google Play store, as security researchers recently found a selection of apps which contained North Korean spyware hosted there. The five affected apps appeared to be benign system utilities like file managers, but once installed could collect personal information like SMS messages, call logs, and device location.
The spyware apps were identified by Lookout Threat Lab, which highlighted the following apps in both English and Korean: 휴대폰 관리자 (Phone Manager), File Manager, 스마트 관리자 (Smart Manager), 카카오 보안 (Kakao Security), and Software Update Utility. These apps have since been removed from the Play Store by Google.
The apps used a new surveillance tool called KoSpy, thought to originate from a North Korean state-sponsored hacking group called ScarCruft or APT37.
“KoSpy is a new Android spyware attributed to the North Korean group APT37. It masquerades as utility apps and targets Korean and English speaking users,” the security researchers Lookout Threat Lab warned. “KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins.”
The apps that were affected didn’t really work as they said they did: some of them did perform some functions with basic interfaces that opened up Android settings view, while others did not function at all and showed only a fake system window. But once installed, the apps could download plugins and collect surveillance information. Some of the information the apps could surveil included data on SMS messages, call logs, device location, local files and folders, recording screenshots and key strokes, and even recording audio or taking photos with the phone’s cameras.
Now that the apps have been removed from the Play Store it’s not clear how many people may have downloaded them and been affected, but it’s a good reminder to check the sources and reputation of apps before you download them and give them access to your device.
