Republished on March 15th with a new report highlighting dangerous apps.
What a week for Play Store. Google has been busy with its delete button, with multiple threats sneaking their way inside Android’s best secured app vault. Not a good look. And all this has come hot on the tail of the latest warning that Android is under attack.
First came an ad fraud scheme leading to the deletion of 180 apps with 56 million downloads, then another dangerous Anatsa/Teabot trojan ejected from the store, we have even fake Play Store pages tricking users into high-risk installs.
Now another threat has been outed, with Google confirming all the newly “identified apps” hiding a nasty new spyware have also been ousted from Play Store. This latest warning came courtesy of Lookout, which attributed the new KoSpy malware “to the North Korean group APT37 [ScarCruft]
.”
The team says the spyware “can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots.” It’s a North Korean team effort with “evidence of infrastructure being shared with APT43 [Kimsuky]
, another notorious North Korean state-sponsored group.” Both groups target users in multiple countries.
The new malware attacks both English and Korean speakers, and seemingly dates back at least to early 2022 and is still in the wild now. “KoSpy has been observed using fake utility application lures, such as ‘File Manager’, ‘Software Update Utility’ and ‘Kakao Security,’ to infect devices.” The spyware comes with an impressive list of capabilities:
- “Collecting SMS messages
- Collecting call logs
- Retrieving device location
- Accessing files and folders on the local storage
- Recording audio and taking photos with the cameras
- Capturing screenshots or recording the screen while in use
- Recording key strokes by abusing accessibility services
- Collecting wifi network details
- Compiling a list of installed applications.”
While none of the identified apps remain on Play Store, they will be available elsewhere. “KoSpy samples in Lookout’s corpus masquerade as five different apps: 휴대폰 관리자 (Phone Manager), File Manager, 스마트 관리자 (Smart Manager), 카카오 보안 (Kakao Security) and Software Update Utility.” If any are on your phone, delete them now.”
As well as KoSpy, you should remove any of the ad fraud and Anatsa apps (per links above), which Google has also confirmed have been deleted from the store. You should also ensure Google’s Play Protect is enabled at all times on your device.
In response to Lookout’s report, Google told me “the use of regional language suggests this was intended as targeted malware. Before any user installations, the latest malware sample discovered in March 2024 was removed from Google Play. Google Play Protect automatically protects Android users from known versions of this malware on devices with Google Play Services, even when apps come from sources outside of Play.”
Google is updating Play Protect to make it easier to pause its defenses to facilitate sideloading. As this new warning clearly illustrates, you should never do this unless you’re absolutely sure of the legitimacy of the app you’re installing and the source. As I’ve warned before, sideloading itself puts you at risk and this new option is dangerous and needs handling with care. You’re driving at speed, but removing your seatbelt.
A timely new report from UCL in London has just warned that “some ‘unofficial’ parental control apps have excessive access to personal data and hide their presence, raising concerns about their potential for unethical surveillance as well as domestic abuse,” highlighting that sideloaded apps are much riskier than those on Play Store.
The new study “is the first to compare ‘official’ parental control apps available in the Google Play Store and ‘sideloaded’ or ‘unofficial’ parental control apps available from other sources… The team found that sideloaded apps were more likely to hide their presence from the phone user [and] require excessive permissions, including ‘dangerous’ permissions such as being able to access personal data, like precise user location, at all times.” None of which should come as a surprise.
This is just the latest report to highlight sideloading risks, which Google itself warns is dangerous. What’s interesting here is that parental control apps by their nature will ask for excessive permissions to operate. It’s a boon for data harvesters to be able to operate in this way on your phone. But for apps in such a sensitive area to be able to lure users into installing, potentially disabling Play Protect in the process, is dangerous.
Google has long promised to eradicate such abuse, removing these apps from Play Store and monitoring on-device behavior. But all this remains work in progress. Multiple warnings last year highlighted just how rife such Play Store abuse remains.