Lookout identifies KoSpy as an Android spyware family attributed with medium confidence to North Korea-linked APT37, also known as ScarCruft, targeting Korean and English-speaking users. Samples masquerade as utility apps such as file managers, software update tools, and Kakao-themed security apps, with distribution observed through Google Play and third-party stores. KoSpy retrieves an initial encrypted configuration from Firebase Firestore, uses a two-stage C2 model to obtain plugin and surveillance settings, and can collect SMS messages, call logs, location, files, audio, screenshots, keystrokes, Wi-Fi details, and installed-app lists. Lookout notes infrastructure overlap with APT43/Kimsuky-related activity, including the KoSpy C2 domain st0746[.]net resolving to an IP previously associated with Korea-focused malicious domains.