KoSpy is Android spyware linked to Ricochet Chollima, also known as APT37, Inky Squid, RedEyes, ScarCruft, and Reaper. The malware masquerades as utility apps, has appeared in Google Play and third-party stores such as Apkpure, and retrieves an encrypted Firebase Firestore configuration containing an operator-controlled enable switch and C2 address. After emulator and activation-date checks, KoSpy loads plugins from C2 to collect SMS messages, call logs, location data, files, audio recordings, and screenshots, then encrypts stolen data before exfiltration. Infrastructure such as st0746.net resolving to 27.255.79.225 overlaps with domains tied to Konni RAT and Velvet Chollima activity, suggesting shared or related North Korean resources.