The Google Play Store has faced a wave of security threats, leading to the deletion of multiple malicious apps. This week, Google removed 180 fraudulent apps with a staggering 56 million downloads, along with a dangerous banking trojan, Anatsa (Teabot).

However, the latest serious security warning involves a newly discovered spyware, KoSpy, which has infiltrated Android devices since early 2022.

KoSpy Malware: A North Korean Cyberattack

Security firm Lookout identified the KoSpy malware, attributing it to APT37 (ScarCruft), a North Korean hacking group.

The spyware is designed to steal extensive user data, including:

• SMS messages and call logs
• Device location tracking
• File and folder access
• Audio recording and camera hijacking
• Screenshots and screen recordings
• Keystroke logging via accessibility services
• WiFi network details
• Installed app list extraction

KoSpy has been linked to another North Korean group, APT43 (Kimsuky), known for state-sponsored cyberattacks.

How KoSpy Infects Devices

The malware disguises itself as fake utility apps, including:

• 휴대폰 관리자 (Phone Manager)
• File Manager
• 스마트 관리자 (Smart Manager)
• 카카오 보안 (Kakao Security)
• Software Update Utility

These malicious apps have been removed from Google Play. However, they remain available on third-party platforms, making them a continued risk to Android users.

Google’s Response and Security Measures

Google confirmed that before any user installations, the latest KoSpy malware sample discovered in March 2024 was removed from Google Play.

Additionally, Google Play Protect now automatically detects and blocks known malware variants—even if they are installed from sources outside Google Play.

Why You Should Be Cautious

Despite these removals, cybercriminals continue to distribute malware through external sources. Google is also updating Play Protect to allow users to pause security defenses for sideloading apps, which can be risky if done without verification.

Experts strongly advise against disabling Play Protect unless you are 100% sure of the legitimacy of an app and its source.

What You Should Do Now

1. Check your device for any of the KoSpy-infected apps listed above. Delete them immediately.
2. Ensure Google Play Protect is enabled on your device at all times.
3. Avoid sideloading apps from unknown sources.
4. Remove any Anatsa/Teabot malware-infected apps that Google recently deleted from the Play Store.
5. Stay updated on Play Store security warnings to protect your device from emerging threats.

As cyberattacks become more sophisticated, Android users must remain vigilant to avoid falling victim to spyware, banking trojans, and fraudulent apps.