**North Korean hackers have infiltrated the Google Play app store, uploading spyware masquerading as utility apps.**
According to a report from cyber-security firm Lookout, the spyware known as KoSpy has been propagated by the APT37 hacking group, which is thought to be backed by the North Korean state. The group, believed to have been created in 2012, has previously been involved in attacks on various financial institutions, primarily in South Korea although they have actively been targeting other countries in recent years.
The report found that the spyware was first observed in March 2022 and remains active, with new samples still publicly hosted.
KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio and screenshots via dynamically loaded plug-ins on Android phones. As well as on Google Play, the apps have been found on third-party app stores such as APKPure.
It was observed using fake utility application lures, such as ‘File Manager’, ‘Software Update Utility’ and ‘Kakao Security’, to infect devices. The apps were found to contain basic interfaces that opened up the related internal phone settings view. For instance, the Software Update Utility opens up the software update screen under the system settings.
The File Manager app functions as a simple file browser with some additional features, while Kakao Security doesn’t appear to have any useful functionality and displays a fake system window while requesting multiple permissions.
All the apps mentioned in the report have now been removed from Google Play.
Lookout said it found evidence of infrastructure behind the attack being shared with APT43, another notorious North Korean state-sponsored group also known as Kimsuky.
North Korea is thought to be actively utilising cyber attacks as a way to provide financial resources in external currency to support the state while also gathering strategic intelligence.
In February, an attack on Bybit, a Dubai-based cryptocurrency exchange, saw [approximately $1.5bn](https://eandt.theiet.org/2025/02/24/hackers-steal-15bn-biggest-cryptocurrency-heist-ever-recorded) in digital assets stolen from its Ethereum wallet. While Bybit hasn’t said outright who the hackers are, fingers have pointed towards North Korea.
The incident has precedent – North Korean cyber criminals were thought to be behind at least seven attacks on cryptocurrency platforms in 2021 that extracted [nearly $400m](https://eandt.theiet.org/2022/01/14/north-korean-hackers-ramped-crypto-attacks-2021) worth of digital assets.