Cyber breach on Android: North Korean malware defies store security

by Gabriel E. Hall - - 2025-03-14

KoSpy malware managed to break through Google Store's defenses

North Korean malware KoSpy breaches Google Play Store

In today’s world, smartphones are more than just gadgets – they’re vaults for our personal lives. That’s why the news of North Korean hackers sneaking spyware into the Android official store, Google Play, is so alarming.

Uncovered by Lookout security researchers,^[1] this breach reveals how even trusted app stores can become battlegrounds for cyber espionage. The malware, named KoSpy, hid in plain sight within utility apps, targeting Korean and English-speaking users to steal sensitive data like messages, calls, and screenshots.

The attack attributed to North Korean cybercriminal group APT37

The discovery of KoSpy marks a bold move by North Korean hackers. Lookout researchers found this spyware lurking in apps like “Phone Manager” and “Smart Manager” on Google Play and third-party stores. These apps seemed harmless – tools to optimize your phone – but they were secretly harvesting data from unsuspecting users.

According to Lookout’s findings, KoSpy could “monitor SMS, calls, location, files, and screenshots via dynamically loaded plugins.” In simpler terms, it acted like a digital spy, watching and recording nearly everything on an infected phone. Alemdar Islamoglu, a Lookout security intelligence engineer, explained:

KoSpy is a new Android spyware attributed to the North Korean group APT37. It masquerades as utility apps and targets Korean and English-speaking users.

Active since March 2022, with traces lingering until March 2024, KoSpy ran a long, quiet campaign until Google removed the apps and deployed Play Protect to shield devices.^[2]

Malware used Google's cloud service to break in; also avoids detection

The answer as to how KoSpy slip past Android’s security lies in its crafty design. The spyware used Google’s own Firebase Firestore (a cloud service for app data) to fetch instructions, letting hackers remotely control it. This made KoSpy look like a normal app, blending in perfectly.

It also played hide-and-seek with detection tools. KoSpy checked if it was running on an emulator (a virtual phone used by researchers) and waited for a specific date to activate, avoiding early exposure. Once awake, it downloaded extra “plugins” – small programs that boosted its spying power, like capturing keystrokes or audio.

All this stolen data was then encrypted and sent to the hackers’ servers. This mix of legitimate tools and sneaky checks shows how advanced North Korean cyber tactics have become.

North Korea's cybercriminal groups have been active for years

This isn’t the first time North Korean hackers have eyed mobile users. The group behind KoSpy, APT37, has been active since 2012, often targeting South Korea. They’ve used fake apps before, like in 2023 when another North Korean crew, Lazarus, hid malware in software tools for developers.^[3]

Beyond espionage, North Korea’s hackers chase big money too. In early 2025, Lazarus pulled off a jaw-dropping $1.5 billion crypto theft from the Bybit exchange, blending malware with clever scams.^[4]

KoSpy, though, seems more about spying than cash -its low download numbers suggest it targeted specific people, likely in South Korea, for intelligence gathering. This fits North Korea’s pattern of using cyber tools to snoop on rivals while funding their regime through heists.

Staying safe in a risky app world

The KoSpy breach proves that even official app stores aren’t bulletproof. While Google acted fast to remove the threat, it’s a wake-up call for users. North Korean hackers, with their knack for slipping through cracks, remind us to stay cautious.

Check app permissions, keep your phone updated, and consider security apps to spot trouble early. As cyber threats grow smarter, so must we – because in this game, our phones are the prize.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Lookout Discovers New Spyware by North Korean APT37. Lookout research.
^ Waivly. Google responded to Lookout's report by removing the identified apps. X.
^ Ravie Lakshmanan. Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware. The Hacker News.
^ Joe Tidy. North Korean hackers cash out hundreds of millions from $1.5bn ByBit hack. BBC.