According to security researchers, a single attacker has made 4,000 spyware apps suitable for Android since February of this year, at least three of which made their way into Google’s official Play Store.

One of the three apps that snuck their way into the app store was Soniac, as told in a blog post by a security researcher from Lookout this Thursday. The app managed to get downloaded between a thousand and five thousand times prior to Google taking it off the market, and it offered messaging functions via customized version of the Telegram communications program. While the user was being tricked by the messaging functions, the app was running in the background and did anything from recording audio, make calls, send text messages, collect call logs, contacts, as well as the info on the wi-fi access points. Once Lookout reported the app as malicious, Google took it off the market.

The other two apps that have been found to have the malware hidden in them, Hulk Messenger and Troy Chat, were also downloadable from Google Play, but since then removed, too. It is yet to be discovered if the developer withdrew them or Google took them off once they found out of their malicious properties. The remaining apps, the all 4,000 of them, are being distributed through other channels. A researcher from Lookout, Michael Flossman said that those other channels might include alternative app markets or phishing text messages that have a download link. The apps are all part of a malware family Lookout calls SonicSpy.

Flossman said in an email that one thing that connects all SonicSpy samples is that once they compromise a device they beacon to command and control servers and wait for instructions from the operator who can issue one of seventy-three supported commands. This is something that is common for all the SonicSpy apps.

When you install the app, SonicSpy will remove the launcher icon in order to hide their presence and then connect to the control server located on port 2222 of arshad93.ddns[.]net.

Flossman also said that SonicSpy has similarities to another malware app family known as SpyNote, reported last year by the security firm Palo Alto Networks. Developer’s account name, iraqwebservice and some of the components found in apps’ code lead us to believe that the developer is based in Iraq. Not only that, but much of the domain infrastructure connected to SonicSpy references the country in question. The phrase “Iraqian Shield” appears constantly. Lookout will continue to follow leads that suggest the developer is based in that part of the world.

This report by Lookout’s researchers is just another reminder that there are many risks of downloading apps from third-party markets, but they also speak volumes about Google Play not being as big of a guarantee that an app is safe. Android users should be wary of any non-Google app sources with the exception of Amazon’s Android offerings. Users should also avoid installing Google Play apps of questionable value or utility, particularly when they have few downloads.

14 COMMENTS

  1. Hello there! I know this is kind of off topic but I was
    wondering which blog platform are you using for this site? I’m getting tired of Wordpress because I’ve had problems with hackers and I’m looking at alternatives for
    another platform. I would be fantastic if you could point me in the direction of
    a good platform.

  2. Hi there! I know this is somewhat off topic but I was wondering if you knew where I could get a captcha plugin for my comment form?
    I’m using the same blog platform as yours and I’m having trouble finding one?
    Thanks a lot!

  3. Heya! I’m at work browsing your blog from my new iphone!

    Just wanted to say I love reading through your blog and look forward to all your posts!

    Keep up the excellent work!

  4. That is a great tip especially to those new to the blogosphere.
    Simple but very accurate information… Thank you for sharing this one.
    A must read post!

  5. Woah! I’m really enjoying the template/theme of this site.
    It’s simple, yet effective. A lot of times
    it’s difficult to get that “perfect balance” between user friendliness and appearance.
    I must say that you’ve done a very good job with
    this. In addition, the blog loads very fast for me on Internet explorer.
    Outstanding Blog!

  6. Hi there! Would you mind if I share your blog with my myspace group?
    There’s a lot of people that I think would really appreciate your content.
    Please let me know. Thanks

  7. I for all time emailed this website post page to all
    my contacts, since if like to read it then my contacts will too.

  8. I’ll immediately clutch your rss as I can not find your email subscription link or
    e-newsletter service. Do you’ve any? Please allow me know so that I may just
    subscribe. Thanks.

  9. Valuable info. Fortunate me I found your web site by chance, and I am stunned why this twist of fate didn’t happened in advance!
    I bookmarked it.

  10. Hello, you used to write great, but the last few posts have been kinda boring… I miss your great writings. Past several posts are just a little bit out of track! come on!

Leave a Reply to a asmr Cancel reply

Please enter your comment!
Please enter your name here