North Korean Cyber Espionage Group Deploys Advanced Android Spyware and Supply Chain Attacks

A North Korea-affiliated cyber threat group, ScarCruft (APT27/Reaper), has been identified as the force behind a newly discovered Android surveillance tool called KoSpy, designed to target both Korean and English-speaking users.

KoSpy: A Sophisticated Android Spyware

According to cybersecurity firm Lookout, the earliest traces of KoSpy date back to March 2022, with the most recent versions detected in March 2024. While the extent of the malware's success remains unclear, it possesses the capability to harvest extensive device data, including:

• SMS messages
• Call logs
• Location tracking
• Stored files
• Screenshots
• Audio recordings

Disguised as Utility Apps on Google Play

The spyware was distributed via seemingly legitimate utility apps on the Google Play Store, using names such as:

• File Manager
• Phone Manager
• Smart Manager
• Software Update Utility
• Kakao Security

These applications delivered the expected functionality to avoid raising suspicion while secretly installing spyware components in the background. All identified apps have since been removed from the Play Store.

ScarCruft’s Evolving Attack Strategy

Active since 2012, ScarCruft is known for its cyber espionage operations, previously relying on RokRAT to target Windows systems. Over time, its attack toolkit has expanded, adapting RokRAT to macOS and Android to infiltrate a wider range of devices.

Clever C2 Evasion Using Firebase Firestore

Once installed, KoSpy contacts a Firebase Firestore database to retrieve the actual Command-and-Control (C2) server address. By leveraging a legitimate cloud service, the attackers gain:

• Resilience: The C2 address can be altered dynamically.
• Stealth: Traditional security measures struggle to detect malicious activity.

To further evade detection, KoSpy verifies that the device is not an emulator and checks whether the activation date has passed, ensuring the spyware remains hidden until it is ready to execute.

Advanced Data Collection Capabilities

KoSpy is capable of fetching additional plugins to enhance its surveillance capabilities. While the exact nature of these plugins remains unknown, the malware can already gather and exfiltrate:

• Keystrokes
• Wi-Fi network data
• Installed applications list
• Photos and audio recordings

Researchers at Lookout also noted infrastructure overlaps between KoSpy and previous North Korean cyber campaigns, including those attributed to another state-sponsored hacking group, Kimsuky (APT43).

Google’s Response

Google, in a statement to The Hacker News, indicated that the regional language used in the malware suggests the campaign was highly targeted. Google removed the latest KoSpy variant before any known user installations and stated that Google Play Protect safeguards Android users from identified versions of the malware, even when downloaded from sources outside the Play Store.

North Korean Supply Chain Attacks Target Developers

Alongside KoSpy, researchers have uncovered a separate cyber campaign linked to North Korea’s Contagious Interview operation. Security firm Socket identified six malicious npm packages designed to deploy the BeaverTail information-stealing malware.

The following now-removed packages were downloaded over 330 times before discovery:

• is-buffer-validator
• yoojae-validator
• event-handle-package
• array-empty-validator
• react-event-dependency
• auth-validator

These packages targeted software developers, collecting system details, browser credentials, and cryptocurrency wallet data from Solana and Exodus Wallet. The attackers used typosquatting tactics by mimicking trusted libraries and even maintained GitHub repositories for five of the packages to enhance their credibility.

North Korea’s Cryptocurrency Heist Tactics

In another campaign, North Korean hackers were found deploying RustDoor (ThiefBucket), a Rust-based macOS malware, alongside a newly identified macOS variant of Koi Stealer to target the cryptocurrency industry.

Security researchers from Palo Alto Networks Unit 42 found that the attack methodology aligns with the Contagious Interview campaign, leading to a medium-confidence assessment that the operation was carried out on behalf of the North Korean government.

Fake Job Interviews Used as Attack Vectors

The infection process starts with a fake job interview project that victims open using Microsoft Visual Studio. Once executed, the project downloads and runs RustDoor, which:

• Steals passwords from the LastPass Chrome extension
• Exfiltrates sensitive data to external servers
• Executes additional malicious bash scripts

The final infection stage involves deploying Koi Stealer, which disguises itself as Visual Studio to trick victims into entering their system password. Once granted elevated privileges, the malware proceeds to exfiltrate additional sensitive data.

State-Sponsored Threats Posing a Major Risk

Security experts Adva Gabay and Daniel Frank warned that these campaigns underscore the growing risks posed by nation-state actors. Unlike financially motivated cybercriminals, state-backed hacking groups like those linked to North Korea are highly persistent, strategic, and well-funded, making their attacks particularly difficult to detect and prevent.

Key Takeaways & Mitigation Strategies

• Android users should avoid downloading apps from unverified sources and enable Google Play Protect.
• Developers must be cautious of typosquatting attacks and verify npm packages before integration.
• Cryptocurrency professionals should exercise extreme caution when engaging in job interviews or project collaborations.
• Organizations should harden security defenses, monitor for suspicious activity, and educate employees on social engineering tactics used by state-sponsored hackers.

Conclusion

The discovery of KoSpy, BeaverTail, RustDoor, and Koi Stealer highlights North Korea’s increasingly sophisticated cyber operations, targeting a broad spectrum of industries including government agencies, developers, and cryptocurrency firms. With state-backed groups refining their tactics, awareness and proactive cybersecurity measures are critical to mitigating these threats.