According to cybersecurity firm Lookout, hackers linked to the North Korean government secretly uploaded Android spyware to the Google Play Store, tricking users into downloading it.

The spyware, known as KoSpy, was part of an espionage campaign that Lookout confidently attributes to North Korea.

One of the spyware apps posed as a file manager and was available on Google Play, where it was downloaded more than ten times before being removed. Lookout included a screenshot of the app’s page as evidence. Unlike North Korea’s well-known cryptocurrency thefts, such as the recent $1.4 billion heist from Bybit, this campaign focuses on surveillance rather than financial gain.


KoSpy is designed to collect sensitive data from infected devices, including text messages, call logs, location data, files, keystrokes, Wi-Fi details, and a list of installed apps. It can also record audio, take photos using the phone’s camera, and capture screenshots. The spyware relied on Firestore, a cloud database from Google Cloud, to retrieve initial configurations.

After Lookout reported its findings, Google removed the identified apps from the Play Store and deactivated Firebase projects linked to the spyware. Google spokesperson Ed Fernandez confirmed that Google Play automatically protects users from known versions of this malware but did not comment whether Google agrees that North Korea was responsible.

Lookout also discovered that the spyware was available on APKPure, a third-party app store. However, APKPure stated it had not received any warning from Lookout. Researchers believe the hackers were targeting English-speaking and Korean users, most likely in South Korea, based on the apps’ names, language settings, and interface.

READ
North Korean Lazarus Hackers Target npm with Malicious Packages

Further investigation revealed that the spyware used domain names and IP addresses previously linked to APT37 and APT43, two North Korean government-backed hacking groups. Lookout researchers noted that North Korean hackers have successfully uploaded malware to official app stores multiple times, highlighting the growing cybersecurity threat they pose.