Lookout Discovers North Korean APT37 Mobile Spyware | Threat Intel

Lookout researchers have discovered KoSpy, a new Android spyware attributed to North Korean threat actor APT37 (ScarCruft), active from March 2022 to March 2024. The malware targets Korean and English speakers by disguising itself as utility apps and uses a two-stage C2 infrastructure with Firebase Firestore. KoSpy collects extensive data including messages, calls, location, files, recordings, screenshots, and keystrokes through dynamic plugins. The malware was distributed through both Google Play and third-party stores before Google removed the apps. Researchers found infrastructure links between KoSpy and both APT37 and APT43 (Kimsuky) groups.