KoSpy¶
KoSpy is an Android spyware platform discovered by Lookout Threat Intelligence in March 2025, attributed with medium confidence to the North Korean state-sponsored group ScarCruft (APT37). The spyware was distributed through Google Play and third-party app stores disguised as utility applications such as "File Manager," "Phone Manager," and "Kakao Security," targeting Korean and English-speaking users. KoSpy uses a two-stage C2 architecture: Firebase Firestore provides initial configuration (an activation switch and C2 address), while the actual C2 server delivers dynamically loaded plugins for surveillance functions including SMS collection, call log harvesting, location tracking, file exfiltration, audio recording, screenshot capture, and keylogging. Lookout identified infrastructure overlaps with APT43 (Kimsuky), suggesting shared resources between North Korean cyber operations.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | March 2022 (earliest samples) |
| Status | Active as of March 2025; removed from Google Play |
| Type | Spyware, surveillance tool |
| Aliases | None known |
| Attribution | ScarCruft (APT37 / Reaper / Ricochet Chollima), with infrastructure links to APT43 (Kimsuky) |
| Distribution | Google Play Store, third-party app stores, fake utility applications |
Origin and Lineage¶
Lookout published their analysis in March 2025, identifying KoSpy as a previously undocumented Android surveillance tool with samples dating back to March 2022. The three-year operational window before public disclosure indicates sustained, low-profile deployment characteristic of state-sponsored intelligence collection rather than financially motivated campaigns.
ScarCruft (also tracked as APT37 and Reaper) has been active since at least 2012 as a North Korean state-sponsored cyber espionage group. The group has historically focused on South Korean targets, including government officials, defectors, journalists, and human rights activists. KoSpy represents their known Android surveillance capability, extending collection beyond traditional desktop and browser-based operations.
Lookout identified infrastructure overlaps between KoSpy's campaign and operations previously attributed to APT43 (Kimsuky), another North Korean state-sponsored group. This overlap suggests either shared infrastructure resources between DPRK cyber units or coordinated operations, consistent with broader intelligence assessments of North Korean cyber operations where multiple groups share tooling and infrastructure.
Distribution¶
| Vector | Details |
|---|---|
| Google Play Store | Uploaded as utility apps; since removed by Google |
| Third-party app stores | Fake utility applications hosted on alternative marketplaces |
KoSpy masquerades as five different utility applications:
- File Manager
- Phone Manager (Korean: 휴대폰 관리자)
- Smart Manager (Korean: 스마트 관리자)
- Kakao Security (Korean: 카카오 보안)
- Software Update Utility
The choice of app names is calculated. File managers and system utilities are apps users expect to request broad permissions (storage, contacts, SMS), making the permission requests less suspicious. The "Kakao Security" lure specifically targets Korean users by impersonating a security tool for KakaoTalk, South Korea's dominant messaging platform. The Korean-language app names alongside English-language variants confirm dual targeting of Korean-speaking and English-speaking populations.
Google has since removed all identified KoSpy applications from the Play Store and deactivated the associated Firebase projects used for C2 configuration delivery.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| SMS collection | Harvests all SMS messages from the device |
| Call log harvesting | Extracts call history with numbers, timestamps, and durations |
| Location tracking | Collects GPS coordinates and location data |
| File exfiltration | Accesses and uploads files from local storage |
| Audio recording | Records ambient audio via device microphone |
| Screenshot capture | Takes screenshots of the current display |
| Keylogging | Captures keystrokes across applications |
| Camera capture | Photographs using device cameras |
| WiFi network data | Collects information about connected WiFi networks and nearby devices |
| Installed app inventory | Enumerates all applications installed on the device |
Plugin-Based Surveillance¶
KoSpy's surveillance capabilities are delivered through dynamically loaded plugins rather than being statically compiled into the application. After retrieving its C2 address from Firebase Firestore, KoSpy sends two types of requests to the C2 server: one downloads executable plugins, the other retrieves configuration parameters for each surveillance function. This modular design allows operators to selectively enable or disable specific collection capabilities per target, update surveillance modules without pushing new app versions, and add new collection capabilities to deployed implants without reinfection.
Data Exfiltration¶
Collected data is encrypted with a hardcoded AES key before transmission to C2 servers. While a hardcoded key simplifies decryption for anyone with access to the malware sample, it ensures data in transit is not trivially readable by network monitoring tools, providing a baseline of operational security for the exfiltration channel.
Technical Details¶
Two-Stage C2 Architecture¶
KoSpy's most notable technical feature is its use of Google's Firebase Firestore as a first-stage configuration delivery mechanism. On initial execution, the spyware queries a Firebase Firestore database to retrieve a simple configuration containing two parameters:
- An activation switch ("on" or "off")
- The actual C2 server address
This architecture provides significant operational advantages. Firebase Firestore is a legitimate Google service, so traffic to it blends with normal app behavior and is unlikely to be flagged by network monitoring. The activation switch allows operators to keep implants dormant until they are ready to begin collection on a specific target. The C2 address can be rotated at any time through the Firestore database without touching the implant, providing resilience against C2 takedowns. Lookout identified five distinct Firebase projects and five C2 servers across the analyzed sample set.
Anti-Analysis Checks¶
Before activating surveillance functions, KoSpy performs two validation checks:
- Emulator detection to avoid executing in analysis sandboxes
- Date comparison against a hardcoded activation date to prevent premature exposure of capabilities
These checks ensure the spyware does not reveal its malicious behavior to security researchers running samples in emulated environments or analyzing recently compiled builds before their intended deployment date.
HTTP POST Exfiltration¶
After passing validation checks and retrieving the C2 address from Firebase, KoSpy communicates with its C2 server via HTTP POST requests. Plugin downloads and configuration updates flow through this channel, as does exfiltrated surveillance data after AES encryption.
Target Regions¶
| Period | Primary Targets |
|---|---|
| March 2022 onward | Korean-speaking users (South Korea), English-speaking users |
The dual-language targeting (Korean app names alongside English variants) indicates collection against both South Korean targets and English-speaking populations of interest to DPRK intelligence. The "Kakao Security" lure specifically targets South Korean users who use KakaoTalk, while "File Manager" and "Software Update Utility" serve as language-neutral lures applicable to any English-speaking target.
Notable Campaigns¶
March 2022 to March 2025: Lookout documented a sustained KoSpy campaign spanning approximately three years. The spyware operated through Google Play and third-party app stores using five fake utility application identities. The campaign leveraged Firebase Firestore for resilient C2 configuration delivery and dynamically loaded plugins for modular surveillance. Lookout attributed the operation to ScarCruft (APT37) with medium confidence based on infrastructure analysis, and identified shared infrastructure with APT43 (Kimsuky) operations. Google removed all identified apps and deactivated the associated Firebase projects following disclosure.
Related Families¶
| Family | Relationship |
|---|---|
| Hermit | Both are state-sponsored Android spyware platforms with modular plugin architectures for surveillance. Hermit is attributed to Italian vendor RCS Lab, while KoSpy serves North Korean intelligence. |
| SpyNote | Both provide comprehensive Android surveillance (SMS, calls, location, audio, camera, keylogging), though SpyNote is a commodity RAT builder while KoSpy is a targeted state-sponsored tool with Firebase-based C2 configuration. |
| Pegasus | Both represent state-sponsored mobile surveillance, though Pegasus (NSO Group) exploits zero-day vulnerabilities for zero-click deployment while KoSpy relies on social engineering through fake utility apps. |