Security firm Lookout has detected a spyware family that has flooded Android app stores, including the official Google Play store with over 1,000 spyware apps. Dubbed SonicSpy, these spyware have the capability to monitor almost every action on an infected device.
SonicSpy had been uncovered by researchers at Lookout after they found three versions of it, namely Soniac, Hulk Messenger and Troy Chat, live in the official Google Play app store, each disguised as a messaging service.
Marketed as a messaging application, the malware performs the advertised messaging function in order to avoid users getting suspicious of the download, while carefully stealing data and transferring it to a command and control server.
Soniac, which had from 1,000 to 5,000 downloads before Google removed it, provided messaging functions through a customized version of the Telegram communications program. It is unclear whether the other two apps were removed by Google or withdrawn by the developers. Besides Play store, the malware is being distributed through other channels, amassing to nearly 4000 spyware apps out in the go.
The malware comes with the ability to record calls and audio, take photos, make calls, send text messages to numbers specified by the attackers, and monitor calls logs, contacts, and information about wi-fi access points.
Once installed, SonicSpy apps remove their launcher icon to hide their presence and then establish a connection to the control server located on port 2222 of arshad93.ddns[.]net.
SonicSpy can be ordered to remotely perform 73 different commands. In fact, once they compromise a device they beacon to command and control servers and await for instructions from the operator who can issue one of supported commands.
SonicSpy is said to have similarities to another malicious app family called SpyNote, which security firm Palo Alto Networks reported last year. They share similar code, make use of dynamic DNS services and both run on the non-standard 2222 port, leading Lookout to suggest that the two families of malware have been built by the same hacking operation.
The developer account iraqwebservice, and several other features point to the developer being located in Iraq. Incidentally, there is recurrent appearance of the phrase “Iraqian Shield”.
While SonicSpy has been removed from the Google Play Store for now, Flossman warns that it could potentially get into it again.
Incidents like this reinforce that users must avoid third party stores, but this doesn’t mean official app stores are completely safe. Users should avoid installing Google Play apps that seem suspicious, have low utility or very few downloads.