Google Play is believed to be the best platform for downloading applications and users across the globe rely upon it. However, according to LookOut’s cyber security researchers, in the past six months, over a thousand applications have been infected with spyware, and some of them are being distributed through Google Play. These infected applications are part of malware family called SonicSpy, which includes support for about 73 different remote instructions.
The deployment of infection started in February 2017. The perpetrators of this cyber crime are based in Iraq since the account behind one of the infected Android apps Soniac was identified as iraqwebservice. It is the same account from where two other SonicSpy samples were posted on Play Store.
LookOut’s team found an app called Soniac available on Google Play, which appeared to be a harmless version of Telegram messaging app but it also included malicious mechanisms. When an infected app is installed on a device, the cybercriminal behind the scheme immediately receives considerable control over it.
Out of the 73 supports, some are identified in Soniac. Once the control is gained, the author of the threat can perform a variety of tasks such as discreetly recording audio, capture images/photos through the camera, send text messages to desired numbers, make outbound calls and extract information like contacts, call logs and Wi-Fi access points related info.
When installed, SonicSpy removes its launcher image and hides so that the victim is unable to realize that the device has been infected. Then it creates a connection to its C&C server and installs a customized version of Telegram app, which is titled su.apk and stored in the res/raw directory.
Other sample apps analyzed by the research team contained similarities to another malware family SpyNote. This emerged in mid-2016, and it is believed that same author developed both of the malware families because their coding is identical; these use dynamic DNS services and run on non-standard 2222 port.
SpyNote uses customized desktop applications to inject malware into an app so that the victim can use the original functions of the infected app. It is also evident from the steady stream of SonicSpy apps that the threat actors are using similar automate-build process. Currently, researchers are not aware of the desktop tooling of the malware.
It is clear that threat actors are now capable of launching spyware in official app store applications. Therefore, anyone using mobile for accessing sensitive information should be concerned.