KoSpy is an Android spyware family described by Lookout as part of a surveillance campaign attributed with high confidence to the North Korean government. The activity has been linked in reporting to North Korean threat infrastructure associated with APT37/ScarCruft and APT43, and one source explicitly states ScarCruft deployed KoSpy. The campaign appears highly targeted rather than financially motivated, with researchers assessing that victims were likely specific individuals in South Korea who speak Korean or English.
KoSpy was distributed via trojanized Android applications, including fake utility apps such as a file manager, and at least one malicious app was available through Google Play, where a cached listing showed more than 10 downloads. Additional samples were also found on APKPure. Google reportedly removed the identified apps from Google Play, deactivated associated Firebase projects, and stated that Google Play Protect blocks known versions.
The malware’s capabilities are consistent with full-device surveillance on Android. Reported functions include collecting SMS messages, call logs, location data, files and folders, keystrokes, Wi-Fi network details, and installed application lists. It can also record audio, take photos using the device cameras, and capture screenshots. Lookout reported that KoSpy used Firestore to retrieve initial configuration.
High-confidence infrastructure details in the reporting indicate that KoSpy-related apps used domains and IP addresses previously identified in malware and command-and-control infrastructure linked to North Korean groups APT37 and APT43.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Lookout details an espionage campaign involving several different samples of an Android spyware it calls KoSpy, which the company attributes with “high confidence” to the North Korean government.
Lookout details an espionage campaign involving several different samples of an Android spyware it calls KoSpy, which the company attributes with “high confidence” to the North Korean government.
4 distinct techniques documented for this family, organized by ATT&CK tactic.
According to Lookout, KoSpy collects “an extensive amount of sensitive information,” including: SMS text messages, call logs, the device’s location data, files and folders on the device... and a list of installed apps.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
KoSpy is Android malware associated with ScarCruft that previously infiltrated Google Play.
A surveillance malware/tool referenced as part of Kimsuky Android espionage operations and explicitly contrasted with the Android TV botnets under discussion.
Android surveillance tool used by ScarCruft; distributed via fake utility apps; earliest versions date to March 2022 with samples through March 2024.
Android spyware used in a likely targeted surveillance campaign. It collects SMS messages, call logs, location data, files and folders, keystrokes, Wi-Fi details, and installed app lists, and can also record audio, take pictures, and capture screenshots. It used Firestore to retrieve initial configurations.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.