Google Bans These Apps On Play Store After Hackers Plant 'KoSpy' Spyware

Google has banned apps after it was found that hackers have planted the 'KoSpy' spyware on them and made them available somehow on the Google Play Store for everyone to upload globally. So, did you download any of these apps that Google banned? If so, then what you must do is immediately check your smartphone and delete. In fact, whenever such spyware/malware loaded apps are downloaded, users must find and get rid of them immediately.

What really happened to make Google ban apps

A hacking group reportedly linked to the North Korean government uploaded spyware-laden Android apps to the Google Play Store. The espionage campaign, featuring a malware strain named KoSpy, was conducted with “high confidence” by North Korean-sponsored hackers, according to a report by cybersecurity company Lookout.

Worryingly, at least one of these spyware-infested apps was available on the Google Play Store and it was downloaded multiple times by users before being taken down by the Google app ban order was slapped on it. Lookout provided a screenshot of the app's listing as evidence.

Lookout statement revealed the danger to anyone who downloaded apps with this spyware, "KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins."

North Korean cybercriminals are often associated with large-scale cryptocurrency heists, such as the recent theft of around $1.4 billion in Ethereum from Bybit, stated a report in TechCrunch. This particular spyware appears to be focused on intelligence gathering instead of financial gain.

Lookout added that action taken against this spyware was comprehensive. It said, "All the apps mentioned in the report have been removed from Google Play, and the associated Firebase projects have been deactivated by Google."

What happens when Google bans apps from Google Play Store?

First of all, know that the banned app will not be removed from your smartphone. However, you will not be able to update your app via Google Play Store. And, if you remove the app from your smartphone, you will not be able to redownload the app.

KoSpy had extensive spying capabilities, according to Lookout’s researchers. It could access a broad range of personal data, including SMS messages, call logs, location details and keystrokes. Additionally, the spyware could record audio, take photos and capture screenshots, making it a powerful surveillance tool.

Lookout said, "KoSpy can collect an extensive amount of sensitive information on the victim devices...." These capabilities include:

• Collecting SMS messages

• Collecting call logs

• Retrieving device location

• Accessing files and folders on the local storage

• Recording audio and taking photos with the cameras

• Capturing screenshots or recording the screen while in use

• Recording key strokes by abusing accessibility services

• Collecting wifi network details

• Compiling a list of installed applications

Lookout’s Director of Security Intelligence Research, Christoph Hebeisen, said that the number of downloads suggests the attack was aimed at people in South Korea who speak English or Korean.

The malicious apps used Google Cloud's Firestore database for retrieving initial configurations.

Upon receiving Lookout’s findings, Google swiftly banned all identified spyware apps from the Play Store and disabled related Firebase projects. Google spokesperson Ed Fernandez told TechCrunch, "All of the identified apps were removed from Play and Firebase projects deactivated."

Fernandez added, “Google Play automatically protects users from known versions of this malware on Android devices with Google Play Services.”

But Google declined to comment on whether it agreed with Lookout’s assessment that the North Korean government was behind the operation.

Apart from Play Store, Lookout also detected KoSpy on third-party app marketplace APKPure.

Lookout also found that the spyware apps were linked to domain names and IP addresses earlier associated with malware. These domains and addresses were part of the command-and-control infrastructure used by North Korean government hacking groups APT37 and APT43.