Key Takeaways
What is KoSpy?
KoSpy is a sophisticated Android spyware linked to North Korean threat actor Ricochet Chollima. It has been targeting Korean and English-speaking users since March 2022. KoSpy remains active, with recent samples still publicly hosted. This spyware exemplifies Ricochet Chollima’s evolving tactics, blending mobile espionage with resilient infrastructure. Lookout reported on KoSpy.
KoSpy disguises itself as legitimate utility applications, such as file managers and security software, to evade detection. Its infection chain begins with a two-stage C2 setup, retrieving an encrypted configuration from Firebase Firestore, Google’s cloud-hosted database. This configuration includes an on/off switch and a C2 server address, allowing operators to dynamically enable or disable the spyware and pivot infrastructure if compromised. Once activated, KoSpy verifies the device is not an emulator and checks a hardcoded activation date to delay malicious behavior, reducing early detection risks.
Written in Java, KoSpy’s core functionality hinges on dynamically loaded plugins fetched from its C2 server. These plugins enable extensive data collection, including SMS messages, call logs, device location, stored files, audio recordings, and screenshots. The spyware encrypts collected data with a hardcoded AES key before exfiltration, ensuring secure transmission to adversary-controlled servers.
The malware is distributed through both official and unofficial channels, including Google Play and third-party stores like Apkpure. While some apps achieved over 10 downloads on Google Play before removal, the limited scale suggests a focused campaign, possibly aimed at specific individuals rather than mass infection. Lookout’s collaboration with Google has since led to the takedown of identified malicious apps from the Play Store.
Infrastructure analysis reveals connections to broader North Korean operations. The C2 domain st0746[.]net resolves to the IP 27.255.79[.]225 in South Korea, previously tied to domains like naverfiles[.]com and mailcorp[.]center, associated with the Konni RAT used by Ricochet Chollima. Additionally, overlap with nidlogon[.]com, linked to Velvet Chollima by Microsoft, indicates potential resource sharing among North Korean threat actors.
Who is Richochet Chollima?
Richochet Chollima, also known as APT37, Inky Squid, RedEyes, ScarCruft, and Reaper, is a North Korea nexus threat actor group. Richochet Chollima has been active since at least 2012 and typically targets entities in South Korea. However, the group has also been known to target entities in Japan, Vietnam, the Middle East, and elsewhere. Targeted verticals include chemical, electronics, manufacturing, aerospace, automotive, and healthcare. Ricochet Chollima TTPs include Windows UAC bypass, C2 over HTTPS, SoundWave, Zumkong, a MBR wiper, RiceCurry, Flash exploits, steganography, Freenki, RokRAT, Bluelight, CoralDeck, Final1stspy, HappyWork, Karae, NavRAT, PoorAim, ShutterSpeed, SlowDrift, and WineRack.
IOCs
PolySwarm has a sample of KoSpy.
da56b0416b205b36337af22738967445ff310ca0f6051b243f00b83baa67aa09
You can use the following CLI command to search for all KoSpy samples in our portal:
$ polyswarm link list -f KoSpy
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.