Posted on August 11, 2017 at 12:29 PM
There have been over a thousand spyware apps found flooding Android app stores, the official Google Play store among them. These apps are capable of monitoring almost every action on the device they have infected.
The SonicSpy malware, as it is called, is capable of silently recording calls and audio, as well as making calls, taking photos, sending text messages, monitoring call logs, contacts, and information about wi-fi access points.
All in all, the malware has the option of performing 73 different surveilling commands. Is believed that SonicSpy is the work of malware developers in Iraq.
The app is marketed as a messaging application, and the way it ensures that the user doesn’t get suspicious is by performing the advertised messaging function, while in the background, it steals their data and transfers it to a command and control center.
Researchers at Lookout have discovered the SonicSpy malware when they found three versions of it in the official Google Play Store, with each of them being advertised as a messaging app.
Google was fast onto it and removed the offending apps, named Soniac, Hulk Messenger and Troy Chat from the store, but it is believed that many versions of it are still available on third-party app markets. As far as we know, the malware could have been downloaded thousands of times by now. Before the Google managed to remove it, the Soniac version of the malware was downloaded somewhere between one thousand and five thousand times.
Once you download the app, SonicSpy hides and removes the launcher from the smartphone menu. Next, it connects to a command and control server and tries to download and install a modified version of the Telegram app.
What this custom app contains is malicious features that let the attackers take control over the device in question. It is unknown how attackers manage to target specific users, or if their goal is to get hold of any information they get their hands on from those who download the malware.
Researchers analysed samples of SonicSpy and have found that it contains similarities to a spyware called Spynote, uncovered in the middle of last year.
These two malware types share code, make use of dynamic DNS services and they both run on the non-standard 2222 port, which made Lookout think that the two have been built by the same hacker team.
Another similarity is that both of these use a fully-functioning app that also secretly leaks data to the attackers. The account behind the malicious apps is called ‘iraqwebservice’, which is why the researcher believes the campaign is of Iraqi origin.
Michael Flossman, security research services tech lead at Lookout, warns that while the malware has been removed from the Google Play Store, it could find its way back into it again.
He explained that the actors behind the malware have shown the capability of putting their spyware into the official app store as it’s actively being developed, and its build process is automated, it’s likely that SonicSpy will surface again in the future.
Google keeps the vast majority of its 1.4 billion Android users safe from malware, but malicious apps still regularly get through to the official store.