KoSpy Unmasked: North Korea’s APT37 Expands Mobile Surveillance Operations

KoSpy APT37 North Korea

North Korea’s state-sponsored hackers have added a powerful new tool to their cyber arsenal. According to researchers at Lookout, a newly discovered Android spyware strain called KoSpy is actively being used to spy on mobile users. The malware is designed to collect large amounts of sensitive information and transmit it back to attackers.

The discovery of KoSpy highlights how mobile devices have become prime targets in modern cyber espionage. As more personal and professional activity moves to smartphones, state-backed actors are shifting their focus accordingly, developing spyware that’s stealthy, flexible, and capable of evading detection.

KoSpy’s emergence comes on the heels of North Korea’s alleged involvement in a string of high-profile cyberattacks, including the massive $1.5 billion ByBit cryptocurrency theft. Together, these events reinforce what security experts have been warning for years: North Korea remains one of the most persistent and aggressive players in the global cyber threat landscape.

KoSpy: The Technical Deep Dive

Lookout attributes KoSpy to APT37, also known as ScarCruft—a North Korean advanced persistent threat group with a long track record of espionage activity. The spyware also shares ties with APT43 (Kimsuky), suggesting a degree of coordination or resource sharing between North Korea’s cyber units.

Researchers believe KoSpy has been in development since at least March 2022, with active deployment detected through 2024. Its capabilities are extensive. Once installed on a target device, KoSpy can harvest call logs, SMS messages, GPS location data, audio recordings, and screenshots. This broad access allows attackers to monitor both the content and context of a victim’s communications in near real-time.

KoSpy also includes a modular plugin system, giving operators the ability to customize surveillance based on their objectives. This flexibility means the spyware can evolve over time, responding to new targets or shifting intelligence goals.

For command-and-control, KoSpy uses Firebase, a legitimate cloud platform commonly used by mobile developers. This helps it blend in with normal app traffic and avoid detection. The spyware operates using a two-stage communication process. It first connects to Firebase to receive instructions and then sends stolen data to a separate server controlled by the attackers. This layered setup adds an extra degree of stealth and control.

Distribution and Infection Tactics

KoSpy relies on trickery rather than sophisticated exploits to get onto devices. According to Lookout, the spyware has been distributed through both official and third-party app stores, including Google Play and Apkpure. Disguised as a harmless utility app, KoSpy lures users into downloading it voluntarily.

These fake apps masquerade as everyday utilities with names like Phone Manager, File Manager, Smart Manager, Kakao Security, and Software Update Utility. Most of them mimic legitimate functions—opening internal phone settings or acting as basic file browsers—to appear convincing. In some cases, like the Kakao Security app, the interface is purely deceptive, displaying a fake system window and aggressively requesting permissions.

Lookout reports that these apps have since been pulled from Google Play, and the related Firebase infrastructure has been shut down. But users who downloaded the apps before they were taken down may still have active infections, meaning the threat hasn’t been fully contained.

“Users have put their trust into the app stores, and these attacks are very difficult for users to spot,” said Thomas Richards, Infrastructure Security Practice Director at Black Duck. “The number of permissions the app needed would have raised suspicions for me; why would a file manager app need access to my call logs or text messages?”

Target Profile

KoSpy appears to be aimed squarely at Korean and English-speaking users, a target profile that points to both regional and international surveillance goals. By focusing on these language groups, North Korean operators can cast a wide net, monitoring individuals not just within the Korean Peninsula but also across the broader global diaspora and diplomatic communities.

The likely motivation is espionage. With access to call records, texts, locations, and other personal data, KoSpy gives its handlers a powerful tool for gathering intelligence on political dissidents, government officials, journalists, and other high-value targets. It’s a calculated move that aligns with North Korea’s broader cyber strategy: collect as much information as possible, as quietly as possible.

North Korea’s Growing Cyber Playbook

KoSpy is just the latest entry in North Korea’s expanding cyber toolkit. The ByBit cryptocurrency hack, one of the largest of its kind, is part of the same pattern: an aggressive push to support state objectives and gather intelligence through increasingly sophisticated cyber operations.

Where KoSpy stands out is in its focus on mobile surveillance. It signals a shift from traditional desktop-based espionage to the smartphone, where much of modern life now happens. This move reflects a broader strategy of adapting to changing technology landscapes while continuing to pursue high-value targets.

There’s also growing evidence of cooperation among North Korea’s hacking units. KoSpy is tied to APT37 but shares infrastructure and tactics with APT43. This kind of overlap suggests these groups aren’t operating in silos—they’re pooling resources, sharing tools, and working toward common goals.

The Larger Security Implications

KoSpy’s emergence reinforces a growing reality: mobile devices are now a central front in cyber warfare.

"KoSpy is another clear sign that mobile is now a top priority for state-sponsored groups,” said Kern Smith, Vice President, Americas at mobile security firm Zimperium. “These attackers are going beyond desktops and targeting smartphones for the same level of data access—if not more. Mobile surveillance is no longer a niche tactic; it’s part of the core playbook.”

Enterprises and governments should rethink their approach to security. Traditional protections built around desktop infrastructure aren’t enough. Organizations need to prioritize mobile threat defense, treat smartphones as potential entry points, and adopt zero-trust frameworks that assume every device could be compromised. “Relying on app store reviews and permissions isn’t enough,” Smith said. “Organizations need real-time, on-device mobile security that can catch this type of activity the moment it starts.”

For individual users, the lesson is just as clear. Avoid downloading apps from unverified sources. Pay attention to app permissions. Keep software updated. Whenever possible, use mobile security tools that can detect suspicious behavior. In the age of state-backed spyware, basic caution can go a long way.

Securing the New Normal

KoSpy is a window into the geopolitical stakes of today’s cyber landscape. As governments turn to mobile surveillance to gain an edge, the boundary between national security and personal privacy continues to erode.

This makes vigilance more important than ever. It also raises the bar for innovation in mobile security. Meeting threats like KoSpy will require smarter defenses, better awareness, and a willingness to treat mobile devices not as afterthoughts but as front-line assets in the fight to protect data and privacy.

Author
  • Contributing Writer, Security Buzz
    Michael Ansaldo is a veteran technology and business journalist with experience covering cybersecurity and a range of IT topics. His work has appeared in numerous publications including Wired, Enterprise.nxt, PCWorld, Computerworld, TechHive, GreenBiz, Mac|Life, and Executive Travel.