A new Android spyware called KoSpy has been attributed to the North Korean group APT37 (ScarCruft). The malware, active since March 2022, targets Korean and English-speaking users by masquerading as utility apps. KoSpy uses a two-stage C2 infrastructure, retrieving initial configurations from Firebase cloud databases. It can collect extensive data, including SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins. The spyware has been distributed through Google Play and third-party app stores. Evidence suggests infrastructure sharing with APT43 (Kimsuky), another North Korean state-sponsored group. KoSpy's capabilities include collecting sensitive information, recording audio, capturing screenshots, and keylogging. The campaign targets Korean and English speakers, with samples available on Google Play and third-party stores.