North Korean state-backed hackers infected Android devices with malware intended to spy on Korean and English speakers, researchers said Wednesday.

Mobile and cloud security firm Lookout labeled the malware KoSpy and said it appears to be the worth of an advanced persistent threat group tracked as ScarCruft or APT37.

KoSpy, which the company spotted on the Google Play Store and third-party app stores, is able to gather significant amounts of sensitive data, including call logs, text messages, files, audio, screenshots and user location, according to the report. 

The malware has been embedded in bogus utility apps with titles such as File Manager, Software Update Utility and Kakao Security, Lookout said. Google has taken down all of the known infected apps, the researchers said.

KoSpy was first seen in March 2022 and new samples were spotted as recently as last year, Lookout said.

“More than half of the apps have Korean language titles and the UI supports two languages: English and Korean,” Lookout said. “The messages and text fields in the app are shown in Korean if the device language is set to Korean and in English otherwise. “

KoSpy appears to share infrastructure with the North Korean state-sponsored group tracked as Kimsuky or APT43. Those hackers are reportedly behind a wave of spearphishing attacks that deploy malware to steal information, a campaign known as forceCopy.

ScarCruft, the group linked to KoSpy, has been operating since 2012. While it mainly targets South Koreans, it has also attacked users in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait and several countries in the Mideast, Lookout said.

An espionage campaign targeting media organizations and high-profile academics was attributed to ScarCruft in January.

In October, researchers linked a malware operation in Southeast Asia to the group.