A group of infiltrators who have links to North Korea has downloaded Android spyware to the Google Play app store and managed to deceive some people to download it, according to Cyblessecurity Lookout.
In a report published on WednesdayAnd its participation exclusively with the early techcrunch, details of a spy campaign that includes several different samples of the Android spyware called KOSPY, which the company attributes with “high confidence” to the North Korean government.
One of the spyware apps was at least at some point on Google Play and downloaded more than 10 times, according to a temporary stored snapshot on the application page on the official Android App Store. Lookout included a page screenshot in its report.
In the past few years, the North Korean infiltrators have occupied the headlines of newspapers, especially for bold encryption theft, such as the last theft of about $ 1.4 billion of ETHEREUM from Crypto Exchang Beit, with the aim of strengthening the banned nuclear weapons program in the country. In the case of this new spyware campaign, all signs indicate that this is a monitoring process, based on the functions of the spyware applications that were identified by Lookout.
The goals of the North Korean spyware campaign are unknown, but Christophe Hebesen, Director of Security Research in the field of security intelligence in Lookout, for Techcrunch that through some downloads, it is possible that the Speware application will target specific people.
According to Lookout, KOSPY collects “a wide amount of sensitive information”, including: SMS text messages, call records, device website data, files and folders on the device, the key’s key pressure, Wi-Fi network details, and a list of installed applications.
KOOSPY can also record sound, take pictures with phone cameras, take screenshots of the used screen.
Lookout also found that Kosby relied on it FirestoreDatheb database based on Google cloud infrastructure to recover “initial configurations”.
Google Ed Fernandez’s spokesperson told Techcrunch that Lookou shared its report with the company, and “all the specific applications were removed from the play [and] Firebase projects were activated, “including the KOSPY sample that was on Google Play.
“Google Play automatically protects users from well -known versions of these harmful programs on Android devices with Google Play services,” said Fernandez.
Google did not comment on a series of specific questions about the report, including whether Google agrees with the attribution of North Korea, and other details about the Lookout report.
Contact us
Do you have more information about Kosby, or any other spyware? From a non-work device and network, you can connect to Lorenzo Franceschi-bicchierai safely on a signal on +1 917 257 1382, or via Telegram and Keybasarezofb, or email. You can also contact Techcrunch via Securedrop.
The report also said that Lookout found that some spyware applications on the APKPure third -party app store. APKPure spokesman said the company did not receive a “e -mail” from Lookout.
The person, or the people, who controls the email address of the developer listed on the Google Operation page that hosts the Spyware application to order Techcrunch to comment.
Lookout Hebeisen, along with Alemdar Islamoglu, the great researcher in employee security intelligence, told TECRUNCH that although Lookout has no information about who might be specifically it has been targeted – it has been penetrated, effectively – that the company is confident that this was a very targeted campaign, most likely to track people in South Korea, who are talking English or Korean.
The Lookout evaluation depends on the names of the apps they found, some in the Korean language, and that some applications have the titles of the Korean language and support the user interface in both languages, according to the report.
Lookout also found that spyware applications use domain names and IP addresses that were previously identified as being in the malware and control of control and control that piracy groups use in North Korea Apt37 and Apt43.
“The great thing about the representatives of the threat in North Korea is that they, apparently, are somewhat successful in introducing applications in official app stores,” said Hebsen.
