Lookout Threat Lab researchers have discovered a novel Android surveillance tool, dubbed KoSpy, which appears to target Korean and English-speaking users. The spyware, attributed with medium confidence to the North Korean APT group ScarCruft (also known as APT37), is a relatively new family with early samples going back to March 2022. The most recent samples were acquired in March 2024.

KoSpy has been observed using fake utility application lures, such as "File Manager", "Software Update Utility" and "Kakao Security," to infect devices. The spyware leveraged the Google Play Store and Firebase Firestore to distribute the app and receive configuration data. All the apps mentioned in the report have been removed from Google Play, and the associated Firebase projects have been deactivated by Google.

ScarCruft is a North Korean state-sponsored cyber espionage group active since 2012. While primarily targeting South Korea, it has also conducted operations in countries including Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and several Middle Eastern nations. 

KoSpy

KoSpy samples in Lookout’s corpus masquerade as five different apps: 휴대폰 관리자 (Phone Manager), File Manager, 스마트 관리자 (Smart Manager), 카카오 보안 (Kakao Security) and Software Update Utility. The samples with utility application lures have basic interfaces which open up the related internal phone settings view. For instance, the Software Update Utility opens up the Software Update screen under the System settings. The File Manager app functions as a simple file browser with some additional features. Kakao Security app on the other hand, doesn’t have any useful functionality and displays a fake system window and requests multiple permissions.

Behind the basic interface, KoSpy starts the spyware functionality by first getting a simple configuration from Firebase Firestore. This encrypted configuration contains two parameters: an “on”/”off” switch and the Command and Control (C2) server address. This two-staged C2 management approach provides the threat actor with flexibility and resiliency. They can enable or disable the spyware and change C2 addresses at any time in the case of a C2 being detected or blocked.

After retrieving the C2 address, KoSpy ensures the device is not an emulator and that the current date is past the hardcoded activation date. This activation date check ensures that the spyware does not reveal its malicious intent prematurely.

C2 Communication and Infrastructure

KoSpy sends two different types of requests to the C2 address. One downloads plugins while the other retrieves configurations for the surveillance functions. The plugin request is supposed to receive an encrypted, compressed binary; however, this could not be confirmed since no C2 was active during the analysis. The configuration request is set to receive a JSON document which configures the following settings: C2 ping frequency, messages to show the user in Korean and English, URL to download a plugin and the class name to dynamically load.

An example of a “conf” request can be seen in the image above. The request is an HTTP POST request and the payload is in JSON format. Values in the JSON are encrypted and Base64 encoded while the field names are clear text. The “vtr” field contains the unique victim ID generated from the hardware fingerprint and Android ID. The “type” field can be one of “conf” or “code” which determines the type of C2 request. The “pref” field is a composite field and contains information such as package name, app version, device language, hardware details and a list of enabled permissions.

KoSpy can collect an extensive amount of sensitive information on the victim devices with the help of the dynamically loaded plugins. These capabilities include:

• Collecting SMS messages
• Collecting call logs
• Retrieving device location
• Accessing files and folders on the local storage
• Recording audio and taking photos with the cameras
• Capturing screenshots or recording the screen while in use
• Recording key strokes by abusing accessibility services
• Collecting wifi network details
• Compiling a list of installed applications

The collected data is sent to the C2 servers after getting encrypted with a hardcoded AES key. Lookout researchers observed five different Firebase projects and five different C2 servers during the analysis of the available KoSpy samples which can be seen in the indicators of compromise section.

Targeting and Distribution

Lookout researchers assess that this KoSpy campaign was targeted at Korean and English speaking users. More than half of the apps have Korean language titles and the UI supports two languages: English and Korean. The messages and text fields in the app are shown in Korean if the device language is set to Korean and in English otherwise. 

‍

Some of the samples of KoSpy were available for download from the Google Play Store alongside the third party app store Apkpure. However, no app is currently publicly available on Google Play Store. A cached snapshot of the Play Store listing page¹ for the File Manager app (com.file.exploer) shows that the app was publicly available for a while and was downloaded more than ten times. The snapshot also reveals that the developer account was named “Android Utility Developer” and the developer contact email address was mlyqwl@gmail[.]com. The related privacy policy page was set to https://goldensnakeblog.blogspot[.]com/2023/02/privacy-policy.html. The listing also contained an embedded Youtube video to promote the app. The video was uploaded to the @filemanager-android channel² and the channel also contained a Youtube Shorts video.

Attribution

Lookout researchers observed that this KoSpy activity has connections to previous malicious activities attributed to two North Korean threat groups: APT43 and APT37. One of the C2 domains of KoSpy, st0746[.]net, resolves³ to the IP address 27.255.79[.]225 located in South Korea. This IP address was associated with many potentially malicious Korea-related domain names in the past:

KoSpy C2 domains are tied to suspicious domains by shared infrastructure.

The domain names naverfiles[.]com and mailcorp[.]center have been reported⁴ to be involved in attacks targeting Korean users using the Konni desktop malware. Konni⁵ is a Windows RAT family linked to the APT37⁶ threat actor.

Another domain tied to the same IP address, nidlogon[.]com, was reported⁷ to be part of the command and control infrastructure of Thallium (a.k.a. Kimsuky, APT43) by Microsoft.

In addition to its ties to APT37, this KoSpy campaign also has ties to infrastructure used by APT43 - another North Korean hacking group.  North Korean threat actors are known to have overlapping  infrastructure, targeting and TTPs which makes attribution to a specific actor more difficult. Based on the aforementioned shared infrastructure, common targeting and connection recency, Lookout researchers attribute this KoSpy activity to APT37 with medium confidence.

Indicators of Compromise

Files

911d9f05e1c57a745cb0c669f3e1b67ac4a08601

cd62a9ab320b4f6be49be11c9b1d2d5519cc4860

2d1537e92878a3a14b5b3f55b32c91b099513ae0

f08f036a0c79a53f6b0c9ad84fb6eac1ac79c168

df39ab90c89aa77a92295721688b18e7f1fdb38d

ea6d12e4a465a7a44cbad12659ade8a4999d64d1

1cc97e490b5f8a582b6b03bdba58cb5f1a389e78

1a167b65be75fd0651bbda072c856628973a3c1e

985fd1f74eb617b1fea17095f9e991dcaceec170

744e5181e76c68b8b23a19b939942de9e1db1daa

062a869caac496d0182decfadc57a23057caa4ab

b84604cad2f3a80fb50415aa069cce7af381e249

3278324744e14ddf4f4312d375f82b31026f51b5

5639fa1fa389ed32f8a8d1ebada8bbbe03ac5171

‍

C2 Domains

joinupvts[.]org

resolveissue[.]org

crowdon[.]info

resolveissue[.]org

st0746[.]net

‍

Firebase Projects

mydb-a1554

project-27ef0

project-75f80

smart-743cf

version-25b53

‍

Citations

¹ https://play.google.com/store/apps/details?id=com.file.exploer

²https://www.youtube.com/@filemanager-android

³https://www.virustotal.com/gui/ip-address/27.255.79.225/relations

⁴https://www.kisia.or.kr/bucket/uploads/2022/12/09/%EC%82%AC%EC%9D%B4%EB%B2%84%EB%B3%B4%EC%95%88%20%EB%8C%80%EC%97%B0%ED%95%A9%20%EB%B6%84%EA%B3%BC%EB%B3%84%20%EB%B3%B4%EA%B3%A0%EC%84%9C(3%EC%B0%A8)_%EC%B5%9C%EC%A2%85.pdf

⁵https://malpedia.caad.fkie.fraunhofer.de/details/win.konni

⁶https://malpedia.caad.fkie.fraunhofer.de/actor/apt37

⁷https://noticeofpleadings.com/thallium/files/Ghaffari%20Declaration%20in%20Support%20of%20Motion%20for%20TRO%20and%20Preliminary%20Injunc.pdf