Yeah, it's a pretty alarming situation. North Korean state-sponsored hackers managed to sneak spyware, called KoSpy, onto Google Play, disguising it as a legitimate File Manager app. According to Lookout’s report, the app was downloaded at least 10 times before being taken down.

Figure 1. North Korean Hackers Stealthily Planted Spyware on Google Play Store.

This isn’t the first time North Korean hackers have made headlines—recently, they pulled off a $1.4 billion Ethereum heist from Bybit to fund their nuclear program. But this spyware campaign seems to be more about surveillance than financial theft. Figure 1 shows North Korean Hackers Stealthily Planted Spyware on Google Play Store.

It’s another reminder that even official app stores aren’t 100% safe. Always check permissions, developer details, and reviews before downloading any app.

This is a pretty concerning development. Lookout’s report highlights yet another instance of state-sponsored cyber espionage, this time through KoSpy, a spyware app that briefly made its way onto Google Play. Given that the app was disguised as a File Manager, it’s possible some users downloaded it without realizing the risk.

While North Korean hackers are infamous for crypto thefts—like the recent $1.4 billion Ethereum heist from Bybit—this operation appears to be focused on surveillance rather than financial gain. It’s another reminder that even official platforms like Google Play aren’t immune to malicious software.

Sounds like KoSpy was a highly targeted spyware campaign, likely aimed at specific individuals rather than mass surveillance. With only a handful of downloads, it suggests North Korean hackers may have been pursuing high-value targets—perhaps dissidents, journalists, or individuals with sensitive information.

The sheer amount of data KoSpy could steal is alarming:

• Text messages, call logs, location data
• Keystrokes, installed apps, Wi-Fi details
• Audio recordings, photos, and even screen captures

It’s also interesting that KoSpy used Firestore (Google’s cloud database) to retrieve its initial configurations—meaning it leveraged Google’s own infrastructure to stay operational.

Google has since removed the apps and disabled the Firebase projects, but their response was pretty neutral. They didn’t confirm Lookout’s attribution to North Korea, which isn’t surprising—big tech companies tend to avoid making geopolitical claims.

Still, this case shows how advanced state-sponsored spyware has become. Even official app stores can’t guarantee security, so staying vigilant about what we install is more important than ever.

It’s interesting that KoSpy was also found on APKPure, a third-party app store. This suggests the hackers weren’t just relying on Google Play but also targeting users who sideload apps—something that often bypasses Play Protect’s security measures. APKPure claims they never got a notice from Lookout, which raises concerns about how well third-party stores handle security threats.

Lookout’s researchers are pretty confident this campaign was highly targeted, likely aimed at South Koreans or English/Korean-speaking individuals. The Korean language presence in the app names, UI, and commands makes that assessment plausible.

What’s even more telling is the infrastructure links—Lookout found that KoSpy’s domains and IPs were previously connected to APT37 and APT43, two North Korean hacking groups. That’s a big clue that this wasn’t some random cybercriminal operation but a coordinated state-sponsored attack.

And Hebeisen’s point is valid—North Korean hackers keep slipping malware into official app stores, which is pretty alarming. It means they’re good at bypassing Google’s security checks, at least temporarily. Even though Google removes the malware after discovery, the fact that it made it onto the Play Store in the first place is concerning.

Source:TC

Cite this article:

Priyadharshini S (2025),”North Korean Hackers Secretly Planted Spyware on Android App Store", AnaTechmaz, pp. 227