Researchers and journalists reported multiple cases in which Android spyware linked to government actors was distributed through official app stores, including Google Play. In one campaign, Lookout said North Korean operators deployed spyware it tracks as KoSpy through at least one Google Play app and additional listings on APKPure. The malware was built for surveillance, with capabilities to collect SMS messages, call logs, location data, files, keystrokes, Wi-Fi details, and installed apps, and to record audio, take photos, and capture screenshots. Lookout assessed the operation as highly targeted, likely aimed at specific individuals in South Korea, and linked supporting infrastructure to activity associated with APT37 and APT43.
A separate earlier case involved Exodus, spyware that researchers found hidden in Google Play apps and described as government malware. Together, the incidents show that official Android marketplaces have been used to deliver surveillance tools masquerading as legitimate apps. Google said it removed the identified KoSpy apps from Google Play, disabled related Firebase projects, and that Google Play Protect blocks known versions of the malware.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Google said it removed the identified malicious apps from Google Play, deactivated the associated Firebase projects, and confirmed that Google Play Protect detects and blocks known versions of the spyware. This was the platform's response to the disclosed KoSpy campaign.
Researchers found at least one KoSpy-infected app on Google Play, where a cached page indicated more than 10 downloads, and additional malicious samples on APKPure. The apps supported Korean and English, reinforcing the assessment that the operation targeted South Korean users.
Lookout reported an Android spyware campaign it calls KoSpy and attributed it with high confidence to the North Korean government, linking infrastructure to activity associated with APT37 and APT43. The spyware was designed for surveillance and was assessed as highly targeted, likely aimed at specific individuals in South Korea.
Researchers found Android apps on the Google Play Store that were actually the Exodus surveillance malware, described as government spyware. The discovery showed that spyware had been distributed through the official Android app marketplace.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.