You always need to be careful about the apps you install on Android, even if you download them directly from Google Play. Researchers have found at least 5 different apps, which have passed Google Play’s security vetting, are actually malware spying for the North Korean government.
The malware has been named KoSpy by Lookout, the security firm who discovered it. In all 5 cases these apps are disguised as utility apps, designed to help with file management, software updates and, ironically, device security.
What were these apps looking for?
From North Korean spy apps to active exploits, make sure you grab one of the best Android antivirus apps to keep your personal data secure.
But instead of actually helping you, these apps are secretly collecting sensitive personal data. Data collected include SMS messages, call logs, location data, files, nearby audio, keystrokes, Wi-Fi details and installed apps — with the added ability to take screenshots and record your screen.
All of those collection methods could capture some incredibly delicate personal details, only for it to be sent to servers controlled by North Korean intelligence workers.
Lookout claims it has “medium confidence” that the North Korean spy groups behind these apps have been previously tracked under the namesAPT37 (ScarCruft) and APT43 (Kimsuki).
The researchers noted that these apps seem to target English and Korean speakers, and have been found in at least 2 different Android app stores. Including Google Play and Apkpure. The affected apps include:
- 휴대폰 관리자 (Phone Manager)
- File Manager
- 스마트 관리자 (Smart Manager)
- 카카오 보안 (Kakao Security)
- Software Update Utility
What happens now?
You probably wouldn’t know this problem when looking at the apps on their own. After all, a good spy network isn’t going to be caught out based on something stupid. Ars Technica notes that the developer email address is a standard Gmail address, with a privacy policy hosted on a blogspot account.
Ars notes that while the privacy policy page doesn’t raise any red flags, IP addresses hosting the command-and-control servers do. In fact they’ve been reported to have hosted at least 3 domains known to host infrastructure relating to North Korean intelligence operations since 2019.
Google also told the site that the “most recent app sample” was removed from Google Play before anyone could download them. They didn’t offer any further information, but mentioned that Google Play Protect can detect some malicious apps when you install them on Android — regardless of the source.
That said, this is another example of why people should be careful when installing apps on their phone — even if you’re installing directly from Google Play. Don’t install random apps that don’t offer any meaningful benefit, and always be sure to check which permissions your apps are asking for.
Only give them access to things they need, and not any random request the app makes. There’s no reason for a File Manager to need your location data, after all.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
