What a week for Play Store. Google has been busy with its delete button, with multiple threats sneaking their way inside Android’s best secured app vault. Not a good look. And all this has come hot on the tail of the latest warning that Android is under attack.
First came an ad fraud scheme leading to the deletion of 180 apps with 56 million downloads, then another dangerous Anatsa/Teabot trojan ejected from the store, we have even fake Play Store pages tricking users into high-risk installs.
Now another threat has been outed, with Google confirming all the newly “identified apps” hiding a nasty new spyware have also been ousted from Play Store. This latest warning came courtesy of Lookout, which attributed the new KoSpy malware “to the North Korean group APT37 [ScarCruft]
.”
The team says the spyware “can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots.” It’s a North Korean team effort with “evidence of infrastructure being shared with APT43 [Kimsuky]
, another notorious North Korean state-sponsored group.” Both groups target users in multiple countries.
The new malware attacks both English and Korean speakers, and seemoingly dates back at least to early 2022 and is still in the wild now. “KoSpy has been observed using fake utility application lures, such as ‘File Manager’, ‘Software Update Utility’ and ‘Kakao Security,’ to infect devices.” The spyware comes with an impressive list of capabilities:
- “Collecting SMS messages
- Collecting call logs
- Retrieving device location
- Accessing files and folders on the local storage
- Recording audio and taking photos with the cameras
- Capturing screenshots or recording the screen while in use
- Recording key strokes by abusing accessibility services
- Collecting wifi network details
- Compiling a list of installed applications.”
While none of the identified apps remain on Play Store, they will be available elsewhere. “KoSpy samples in Lookout’s corpus masquerade as five different apps: 휴대폰 관리자 (Phone Manager), File Manager, 스마트 관리자 (Smart Manager), 카카오 보안 (Kakao Security) and Software Update Utility.” If any are on your phone, delete them now.”
As well as KoSpy, you should remove any of the ad fraud and Anatsa apps (per links above), which Google has also confirmed have been deleted from the store. You should also ensure Google’s Play Protect is enabled at all times on your device.
In response to Lookout’s report, Google told me “the use of regional language suggests this was intended as targeted malware. Before any user installations, the latest malware sample discovered in March 2024 was removed from Google Play. Google Play Protect automatically protects Android users from known versions of this malware on devices with Google Play Services, even when apps come from sources outside of Play.”
Google is updating Play Protect to make it easier to pause its defenses to facilitate sideloading. As this new warning clearly illustrates, you should never do this unless you’’re absolutely sure of the legitimacy of the app you’re installing and the source. As I’ve warned before, this new option is dangerous and needs handling with care.
