Three messaging apps in the Google Play store contained spyware called SonicSpy. According to researchers, the spyware also infected more than 1,000 additional apps hosted at third-party Android app stores.
Researchers at Lookout traced the spyware-infected apps to an Iraqi developer identified as IraqWebService. Researchers said they can’t be sure how long the spyware was available on Google Play, but statistics for one of the apps (Soniac Messenger) indicated it was last updated in April, and has been downloaded between 1,000 and 5,000 times.
Lookout researchers identified three messaging apps—Soniac Messenger, Hulk Messenger and Troy Chat—that each contained SonicSpy and had been available on Google Play. The additional 1,000 apps, researchers said, were customized versions of popular apps, such as Pokémon Go, Netflix and Clash Royale, that had been injected with SonicSpy spyware.
Similarly, the Soniac Messenger app was actually a customized version of the Telegram messaging app, Lookout said. “It’s quite possible the individual or group has automatic build capabilities and churning out these applications at quite a high rate,” said Michael Flossman, a researcher with Lookout Security.
On July 7, researchers notified Google of the spyware in Soniac Messenger and it was booted from the Google Play store the same day. Sometime prior July 7, the Hulk Messenger and Troy Chat apps were also removed from the Google Play store by either the developer or Google, according to Lookout.
Google did not return a request to comment for this story.
The SonicSpy spyware is extremely aggressive, Flossman said. “Analysis of SonicSpy shows its ability to manipulate a victim’s device via 73 remote instructions, including access to the camera, SMS, call logs, contacts, information about Wi-Fi access points, and more,” he said.
“Upon first execution SonicSpy will remove its launcher icon to hide itself from the victim and establish a connection to C2 infrastructure (arshad93.ddns[.]net:2222),” wrote researchers in a technical analysis of SonicSpy.
“Running Netcat on port 2222 where the DNS record for arshad93.ddns[.]net has been locally poisoned and allows us to interact directly with an infected device,” researchers wrote. Functionality included sending commands that made it is possible to retrieve call logs, clipboard data and video and audio recordings the attacker made while controlling the device remotely.
The spyware also took advantage of the Bind Accessibility Services in the Android operating system, enabling it to capture text descriptions of the victim’s device usage, Flossman said. “Attackers can use the Accessibility Service on Android devices so they can be notified when a message hits your device, also giving them the ability to read it,” he said.
Flossman told Threatpost Lookout has been tracking the SonicSpy spyware since February. He said the spyware shared many of the same attributes as the SpyNote trojan, a malware first identified in mid-2016.
Similar to SonicSpy, SpyNote was designed to trick Android users into thinking it was a legitimate application. Once installed, SpyNote hands control of the device over to the adversary, enabling them to copy files, view contacts, and eavesdrop on the victim, among other capabilities.
Lookout said not much is known about the developer IraqWebService which was distributing the spyware infected apps. Researchers said the developer is based in Iraq and may have created the apps to specifically target a small number of people in the Middle East. “They may have worked hard to get the messaging apps hosted on Google Play in order to win the confidence of their target,” Flossman said.