Google Play Store removed apps that were secretly stealing user data, exposing millions of Android devices to security threats. These malicious apps contained KoSpy spyware, linked to North Korean hacking group APT37 (ScarCruft). They remained undetected for over two years, collecting sensitive information such as call logs, messages, and GPS locations.

If any of these apps are still on your device, removing them immediately is the safest course of action. Similar spyware campaigns have targeted Android users before, such as the North Korean Android spyware found in previous Play Store apps.

Malicious Apps Removed from Google Play

Security researchers discovered that multiple apps, disguised as utility and security tools, contained hidden spyware. These apps seemed harmless but had advanced data-stealing capabilities.

List of Affected Apps:

• Phone Manager (휴대폰 관리자)
• File Manager
• Smart Manager (스마트 관리자)
• Kakao Security (카카오 보안)
• Software Update Utility

Though Google Play Store removed these apps, they might still be installed on many devices. If you have them, delete them immediately.

This incident is not an isolated case. Android users have previously faced severe threats, such as the Necro Malware infection that compromised 11 million devices through Google Play.

How These Apps Stole User Data

The KoSpy spyware hidden in these apps granted attackers full access to infected devices. Here’s what was being stolen:

• Call logs – Capturing details of all incoming and outgoing calls
• SMS messages – Intercepting texts, including OTPs for banking and authentication
• Location tracking – Monitoring real-time GPS movements
• File access – Reading and extracting documents, photos, and videos
• Microphone recording – Secretly recording audio without user consent
• Screenshots – Capturing sensitive information on the screen
• Keystroke logging – Tracking everything typed on the device
• Wi-Fi network details – Mapping connected networks for further exploitation

The stolen data was encrypted and sent to remote servers, allowing hackers to use it for identity theft, financial fraud, and cyber espionage.

Who Was Behind This Spyware Attack?

Cybersecurity experts attribute this attack to APT37 (ScarCruft), a North Korean state-sponsored hacking group active since 2012. This group has a history of targeting:

• Government agencies
• Journalists and activists
• Corporations and financial institutions
• High-profile individuals

APT37 is known for using malware, phishing attacks, and software vulnerabilities to infiltrate systems and steal sensitive data. Similar tactics have been observed in other malware attacks, such as SpyLend Android malware, which surpassed 100,000 downloads on Google Play. Learn more about how this malware operates in our report on SpyLend Android malware.

What You Should Do Right Now

If your device was infected with any of these spyware-laden apps, take immediate action.

1. Uninstall These Apps Now

Go to Settings > Apps, search for any of the affected apps, and delete them.

2. Enable Google Play Protect

Play Protect scans for harmful apps. Activate it by going to Google Play Store > Play Protect > Scan device for security threats.

3. Change Your Passwords

If your phone was compromised, your login credentials might be exposed. Update passwords for:

• Banking apps
• Email accounts
• Social media platforms

Enable two-factor authentication (2FA) for extra security.

4. Review App Permissions

Many apps request excessive permissions. Go to Settings > Privacy > Permission Manager and revoke unnecessary access to:

• Microphone
• Camera
• Location
• Contacts
• Messages

5. Keep Your Device Updated

Outdated software increases the risk of malware infections. Update your Android system and all apps regularly to patch security vulnerabilities.

6. Avoid Third-Party App Stores

Downloading apps from sources outside Google Play can expose your device to malware. Stick to official stores and read app reviews before installing anything.

How Google is Strengthening Play Store Security

Google Play Store removed these apps after detecting the KoSpy spyware, but the company is also working on stronger security measures:

• Stricter app review processes to prevent malware from slipping through
• AI-powered malware detection for faster threat identification
• More frequent security updates to remove harmful apps quicker

Cybercriminals continue to find ways to bypass security measures, making user awareness and proactive security habits essential.

To Sum Up

The fact that Google Play Store removed apps containing spyware highlights the growing risk of mobile security threats. While Google is improving its security, users must remain vigilant.

Uninstall any of these apps immediately, update your security settings, and stay cautious when downloading new apps. These small steps can prevent identity theft, data breaches, and financial fraud in the future.