Android app stores flooded with 1,000 spyware apps

Three fake messaging apps in the Google Play Store have been found to be distributing SonicSpy malware.
Written by Danny Palmer, Senior Writer

Hackers have flooded Android app stores, including the official Google Play store, with over 1,000 spyware apps, which have the capability to monitor almost every action on an infected device.

Dubbed SonicSpy, the malware can silently record calls and audio, take photos, make calls, send text messages to numbers specified by the attackers, and monitor calls logs, contacts, and information about wi-fi access points.

In total, SonicSpy can be ordered to remotely perform 73 different commands and its suspected to be the work of malware developers in Iraq.

Marketed as a messaging application, the malware performs the advertised messaging function in order to avoid users getting suspicious of the download, while all the while stealing their data and transferring it to a command and control server.

SonicSpy has been uncovered by researchers at Lookout after they found three versions of it live in the official Google Play app store, each advertised as a messaging service.

Google has since removed the malicious apps -- called soniac, hulk messenger and troy chat -- from its store, but many other versions remain available on third-party application markets and the malware could have been downloaded thousands of times. At the time of removal from Google Play, soniac had been downloaded between 1,000 and 5,000 times.


SonicSpy in the Google Play store.

Image: Lookout

When downloaded from Google Play, Sonic Spy will hide itself from the victim and remove its launcher icon from the smartphone menu. It will then connect to a command and control server and attempt to download and install a modified version of the Telegram app.

This custom app contains the malicious features which allow the attackers to gain significant control over the device. It's unclear if the attackers are targeting specific users, or if they're trying to get hold of any information they can from anyone who downloads the malware.

Researchers analysed samples of SonicSpy and have found that it contains similarities to a spyware called Spynote, uncovered in the middle of last year.

SonicSpy and Spynote share code, make use of dynamic DNS services and they both run on the non-standard 2222 port, leading Lookout to suggest that the two families of malware have been built by the same hacking operation.

Tricking users into using a fully-functioning application while it secretly exfiltrates data to the attackers is also noted as a tactic used by the same attack group. The account behind the malicious apps is called 'iraqwebservice', leading researchers to suggest the campaign is of Iraqi origin.

Whoever is behind the malware, "Spoofing an encrypted communications app also shows the actor's interest in gathering sensitive information," said Michael Flossman, security research services tech lead at Lookout.

And while SonicSpy has been removed from the Google Play Store for now, Flossman warns that it could potentially get into it again.

"The actors behind this family have shown that they're capable of getting their spyware into the official app store and as it's actively being developed, and its build process is automated, it's likely that SonicSpy will surface again in the future," he said.

Google keeps the vast majority of its 1.4 billion Android users safe from malware, but malicious apps still regularly get through to the official store.


Editorial standards