Android Apps on the Google Play Store have been discovered to harbour spyware originally created by an Iraqi developer.
According to a blog post by security researchers at Lookout, more than a thousand apps on Google Play contain a new spyware family called SonicSpy. According to analysis carried out by the researchers, apps harbouring the malware can silently record audio; take photos with the camera; make outbound calls; send text messages to attacker-specified numbers; and retrieve call logs, contacts, and information about Wi-Fi access points.
“In fact, the malware has the ability to respond to over 73 different remote commands, meaning attackers can manipulate a victim's device from afar through a command and control server,” said Michael Flossman, security analyst at Lookout.
“Once successfully on the device, it provides the victim the advertised messaging functionality while simultaneously stealing data, building a false sense of trust with the victim.”
The most recent example of SonicSpy found on the Play Store, was called Soniac and was marketed as a messaging app. While Soniac does provide this functionality through a customised version of the communications app Telegram, it also contains malicious capabilities that provide an attacker with significant control over a target device.
Upon first execution SonicSpy will remove its launcher icon to hide itself from the victim, establish a connection to C2 infrastructure (arshad93.ddns[.]net:2222), and attempt to install its own custom version of Telegram that is stored in the res/raw directory and titled su.apk.
“This kind of functionality should be highly concerning to any party accessing sensitive information through mobile devices, including enterprises,” said Flossman.
Lookout found that the account behind Soniac, iraqwebservice, has also previously posted two other SonicSpy samples to the Play Store, although both samples are no longer live. “It's unclear whether they were removed as a direct result of Google taking action or if the actor behind SonicSpy removed them in order to evade detection for as long as possible,” said Flossman.
He added that enterprises often send employees overseas for conferences, customer meetings, etc and while traveling, employees use messaging apps to communicate with coworkers and family back home. “Apps like SonicSpy capitalise on this by pretending to be trustworthy apps in well-known marketplaces,” he added.
“It's clear that the malicious actor(s) behind SonicSpy wanted the app to persist on the victim's device, so they made sure to incorporate the functionality that the end user was expecting.”
“It only takes one threat in an enterprise to cause significant damage. For example, many enterprises must comply with government or industry regulations that, when violated, could result in expensive fines,” he said.