North Korean Hackers Deploy New Android Spyware in Global Cyber Espionage Campaign
According to The Hacker News, North Korean cyber espionage group ScarCruft has been linked to a new Android spyware called KoSpy. This malware specifically targets Korean and English-speaking users, with its earliest traces dating back to March 2022. KoSpy is capable of stealing sensitive data, including SMS messages, call logs, device locations, and even audio recordings.
Disguised as legitimate utility apps like File Manager and Kakao Security, KoSpy was distributed via Google Play. These apps functioned normally to avoid suspicion while secretly deploying spyware in the background. Google has since removed the malicious applications from its store.
ScarCruft, active since 2012, is known for attacking Windows systems but has expanded its operations to macOS and Android. The malware retrieves its command-and-control (C2) address through Firebase Firestore, making it difficult to track. It also ensures the infected device is genuine and activates only after a preset date. KoSpy’s capabilities extend to downloading additional plugins to enhance surveillance. The exact nature of these plugins remains unknown due to inactive C2 servers. The malware can also record keystrokes, capture screenshots, and steal Wi-Fi network details.
Researchers found links between KoSpy’s infrastructure and past operations by Kimsuky, another North Korean hacking group. Google confirmed that the malware was regionally targeted and removed before installation on user devices.
Another recent North Korean malware, DocSwap, poses as a document viewer and tricks users into granting accessibility permissions. It executes 57 different C2 commands, allowing for extensive surveillance and data theft. The malware has been primarily targeting South Korean Android users, though its exact distribution method remains unclear.
In addition, a campaign called Contagious Interview was uncovered, using six npm packages to spread BeaverTail malware. These packages mimicked trusted libraries, fooling developers into installing them. The malware was designed to steal system details, browser credentials, and cryptocurrency wallet data.
Further investigations revealed another attack aimed at the cryptocurrency sector using RustDoor and Koi Stealer. Hackers disguised their malware as a job interview project, tricking victims into installing malicious software. RustDoor exfiltrated sensitive information, while Koi Stealer impersonated Visual Studio to steal passwords.
These campaigns highlight the growing threat posed by North Korean hacking groups, which continue to evolve their tactics to steal sensitive information worldwide.
