Short Bytes: Lookout Security has been running after the samples of SonicSpy malware. Around 1000 apps reported since February 2016. Google has recently deleted Soniac spyware which is one of the apps that managed to enter the Play Store. Soniac can record audio, steal call logs, send SMS and make calls, etc. and send it to the attackers.
Soniac is a fake messaging app removed from Play Store after the Android-maker was alerted by the mobile security firm Lookout, an Ars Technica report says.
There were two other similar apps on Google Play – Hulk Messenger and Troy Chat – which are nowhere to be seen. It’s unclear if Google removed them or their creators.
Allowing the attacker to breach user’s security and privacy, Soniac disguises itself as a modified version of the instant messaging app Telegram, and it belongs to the SonicSpy family of malware. It had a download count between 1000-5000 times before Google kicked it out.
The malicious app’s potential includes, “the ability to silently record audio, take photos with the camera, make outbound calls, send text messages to attacker specified numbers, and retrieve information such as call logs, contacts, and information about Wi-Fi access points,” writes Michael Flossman in his blog post made last week.
After the user installs it, the app hides its launcher icon and then establishes a connection with the attackers’ C2 infrastructure (arshad93.ddns[.]net:2222). It reappears as the modified Telegram app.
The three apps are only a tiny fragment of an enormous chunk of around 1000 SonicSpy spyware apps, reported since February 2017. The remaining apps might have been distributed through other unknown platforms or via SMS having download links.
When combined, the SonicSpy family supports a total of 73 commands which can be issued remotely by the attackers, whom the researchers think might be based in Iraq. In the light of similarities, SonicSpy’s strings are also tied to another malware family called SpyNote, first reported in July 2016 by Palo Alto Networks.
According to Lookout, there could be the same actor behind both the families. “For example, both families share code similarities, regularly make use of dynamic DNS services, and run on the non-standard 2222 port.”
Flossman has warned Android users about SonicSpy being under active development and its possibility of making a comeback in the future.
The fact, SonicSpy’s developers managed to get different spyware apps on Google Play, is quite chilling. This is despite the tight security measures deployed by Google, and it might make a dent in user’s trust if similar incidents happen more often. Earlier this year, Google removed a malware called “System Update” which remained undetected for three years.
Read the Lookout’s blog post here for more details.
