A family of Android spyware has infected more than 1,000 apps, including some which infiltrated Google’s Play Store.
Researchers at mobile security firm Lookout came across the threat, known as “SonicSpy,” when they analyzed the Soniac messaging app on the Play Store. Soniac provides messaging functionality, by loading up a custom version of the Telegram messaging app.
But that’s not all Soniac contains. Lookout’s Michael Flossman elaborates on that point:
“Soniac also contains malicious capabilities that provide an attacker with significant control over a target device.
This includes the ability to silently record audio, take photos with the camera, make outbound calls, send text messages to attacker specified numbers, and retrieve information such as call logs, contacts, and information about Wi-Fi access points.”
By using DNS poisoning, running netcat, and analyzing the app’s client server communication, Flossman and his colleagues confirmed SonicSpy’s malicious functionality. They also discovered two other bits of interesting information. First, they found that the spyware comes equipped with 73 different remote instructions. Second, they unearthed evidence to suggest that a threat actor based in Iraq is responsible for the threat.
That’s not all. SonicSpy might not be that nefarious entity’s only software creation. Certain characteristics suggest SonicSpy might be related to SpyNote, another RAT designed for Android devices.
Here’s Flossman again with an explanation:
“There are many indicators that suggest the same actor is behind the development of both. For example, both families share code similarities, regularly make use of dynamic DNS services, and run on the non-standard 2222 port. In the case of SpyNote, the attacker used a custom-built desktop application to inject malicious code into specific apps so that a victim could still interact with the legitimate functionality of the trojanized apps. Due to the steady stream of SonicSpy apps it seems likely that the actors behind it are using a similar automated-build process, however their desktop tooling has not been recovered at this point in time.”
In total, Lookout’s researchers discovered more than a thousand apps infected by SonicSpy, including some (Hulk Messenger and Troy Chat) that made their way onto the Play Store. Google removed at least one of those offending apps.
But there could be more Play Store programs out there infected with SonicSpy or other Android-based spyware.
With that said, it’s important that Android users download apps from only trusted developers on Google’s Play Store. They should also make sure they do their due diligence by reading through an app’s requested permissions and other users’ reviews of the program before proceeding with installation. Finally, they should make sure to install an anti-virus solution onto their devices.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.