Pierluigi Paganini
March 13, 2025
North Korea-linked threat actor ScarCruft (aka APT37, Reaper, and Group123) is behind a previously undetected Android surveillance tool named KoSpy that was used to target Korean and English-speaking users.
ScarCruft has been active since at least 2012, it made the headlines in early February 2018 when researchers revealed that the APT group leveraged a zero-day vulnerability in Adobe Flash Player to deliver malware to South Korean users.
Kaspersky first documented the operations of the group in 2016. Cyber attacks conducted by the APT37 group mainly targeted government, defense, military, and media organizations in South Korea.
Lookout researchers attributed the spyware to the ScarCruft group with medium confidence. The researchers state that the threat is a relatively new malware family with early samples going back to March 2022. The most recent samples detected by the cybersecurity firm are dated March 2024.
“KoSpy has been observed using fake utility application lures, such as “File Manager”, “Software Update Utility” and “Kakao Security,” to infect devices.” reads the report published by the researchers. “The spyware leveraged the Google Play Store and Firebase Firestore to distribute the app and receive configuration data. All the apps mentioned in the report have been removed from Google Play, and the associated Firebase projects have been deactivated by Google.”
KoSpy collects SMS, calls, location, files, audio, and screenshots via plugins. The surveillance tool
The spyware masquerades as five different apps: 휴대폰 관리자 (Phone Manager), File Manager, 스마트 관리자 (Smart Manager), 카카오 보안 (Kakao Security) and Software Update Utility.
The experts noticed that the app disguises itself as utility apps with basic functions, except Kakao Security, which tricks users with a fake permission request.
Before activation, KoSpy checks if it is running in a virtualized environment and confirms that the current date is past the hardcoded activation date to avoid analysis and detection.
Upon execution, the spyware retrieves an encrypted configuration from Firebase Firestore, controlling activation and the C2 server address. This setup allows attackers to enable, disable, or change servers for stealth and resilience.
KoSpy communicates with its C2 servers through two request types: one for downloading plugins and another for retrieving surveillance configurations. The configuration request, sent as an encrypted JSON, controls parameters like C2 ping frequency, plugin URLs, and victim messages. The spyware uses a unique IT for each victim that is calculated through a hardware fingerprint. While some C2 domains remain online, they do not respond to client requests. The spyware transmits the encrypted data via AES to multiple Firebase projects and C2 servers for further exploitation.
Lookout researchers found connections between KoSpy and North Korean threat groups APT43 and APT37. One of C2 domains, st0746[.]net, links to an IP address in South Korea previously associated with malicious Korea-related domains. These include naverfiles[.]com and mailcorp[.]center, linked to Konni malware used by APT37, and nidlogon[.]com, part of APT43’s infrastructure. The shared infrastructure suggests KoSpy may be part of broader cyber-espionage operations targeting Korean users.
“In addition to its ties to APT37, this KoSpy campaign also has ties to infrastructure used by APT43 – another North Korean hacking group. North Korean threat actors are known to have overlapping infrastructure, targeting and TTPs which makes attribution to a specific actor more difficult.” concludes the report. “Based on the aforementioned shared infrastructure, common targeting and connection recency, Lookout researchers attribute this KoSpy activity to APT37 with medium confidence.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ScarCruft)
