Someone has managed to flood third-party app stores and Google Play Store with more than a thousand malicious apps, which can monitor almost anything a user does on their mobile device from silently recording calls to make outbound calls without the user’s interaction.
Dubbed SonicSpy, the spyware has been spreading aggressively across Android app stores since at least February and is being distributed by pretending itself to be a messaging app—and it actually offers a messaging service.
SonicSpy Can Perform a Whole Lots of Malicious Tasks
At the same time, the SonicSpy spyware apps perform various malicious tasks, including silently recording calls and audio from the microphone, hijacking the device’s camera and snap photos, making outbound calls without the user’s permission, and sending text messages to numbers chosen by the attacker.
The spyware was discovered by security researchers at mobile security firm Lookout. The researchers also uncovered three versions of the SonicSpy-infected messaging app in the official Google Play Store, which had been downloaded thousands of times.
Although the apps in question—Soniac, Hulk Messenger and Troy Chat—have since been removed by Google from the Play Store, they are still widely available in third-party app stores along with other SonicSpy-infected apps.
Iraq Connection to the SonicSpy Spyware
The researchers believe the malware is related to a developer based in Iraq and say the overall SonicSpy malware family supports 73 different remote instructions that its attacker could execute on an infected Android device.
The connection of Iraq to the spyware stems from similarities between SonicSpy and SpyNote, another Android malware that was discovered in July 2016, which was masquerading as a Netflix app and was believed to have been written by an Iraqi hacker.
“There are many indicators that suggest the same actor is behind the development of both. For example, both families share code similarities, regularly make use of dynamic DNS services, and run on the non-standard 2222 port,” says Lookout Security Research Services Technology Lead Michael Flossman.
Also, the important indicator is the name of the developer account behind Soniac, listed on the Google Play store, was “iraqiwebservice.”
Here’s How the SonicSpy Works
One of the SonicSpy-infected messaging apps that made it through Google’s Play Store masqueraded as a communications tool called Soniac.
Once installed, Soniac removes its launcher icon from the smartphone menu to hide itself from the victim and connects to a command and control (C&C) server in an attempt to install a modified version of the Telegram app.
Before being removed by Google, the app had already been downloaded between 1,000 and 5,000 times, but since it was part of a family of 1,000 variants, the malware could have infected many thousands more.
SonicSpy Could Get Into Play Store Again
Although SonicSpy-infected apps have now been removed from the Play Store, the researchers warned that the malware could potentially get into the Play Store again with another developer account and different app interface.
“The actors behind this family have shown that they’re capable of getting their spyware into the official app store and as it’s actively being developed, and its build process is automated, it’s likely that SonicSpy will surface again in the future,” the researchers warned.
While Google has taken many security measures to prevent malicious apps from making through Google’s security checks, malicious apps still make their ways into the Play Store.
Just last month, we warned you about a clever malware, called Xavier, that was discovered in over 800 different Android apps that had been downloaded millions of times from Google Play Store and silently collected sensitive user data and can perform dangerous tasks.
In April, we reported about the BankBot banking trojan making its way to Google Play Store with the ability to get administrator privileges on infected devices and perform a broad range of malicious tasks, including stealing victim’s bank logins.
In the same month, about 2 Million Android users fell victim to the FalseGuide malware hidden in more than 40 apps for popular mobile games, such as Pokémon Go and FIFA Mobile, on the official Google Play Store.
How to Protect yourself against such Malware
The easiest way to prevent yourself from being targeted by such clever malware, always beware of fishy apps, even when downloading them from official Google Play Store and try to stick to the trusted brands only.
Moreover, always look at the reviews left by users who have downloaded the app and verify app permissions before installing any app even from the official app stores and grant those permissions that are relevant for the app’s purpose.
Also, do not download apps from third party source. Although in this case, the app is also being distributed through the official Play Store, most often victims became infected with such malware via untrusted third-party app stores.
Last but not the least, you are strongly advised to always keep good antivirus software on your device that can detect and block such malware before they infect your device, and keep your device and apps up-to-date.