Cybersecurity experts have discovered more than a thousand applications infected with SonicSpy spyware in the last six months, including some being distributed through Google Play.
The apps are part of the SonicSpy malware family and have been aggressively deployed since February 2017 by a hacker who is probably based in Iraq, Lookout Security`s experts say. Google has been notified of the malicious activity and has removed at least one of these apps from Google Play.
One of the samples found on Google Play is called Soniac and was posing as a messaging app. Although it provides such functionality through a customized version of the Telegram messaging application, the software also includes malicious components.
When the malicious program is installed on a device, the hacker gets a significant control that device. The SonicSpy malware family includes support for 73 different remote instructions, but only some are found in Soniac.
These include the ability to silently record audio, take photos with the camera, and to make outbound calls. In addition, the malware can send text messages to hacker-specified numbers and can retrieve information such as call logs, contacts, and information about Wi-Fi access points.
When executed, SonicSpy removes the launcher icon to hide from the victim, then tries to establish a connection to its C&C server (at arshad93.ddns [.] Net). The malware tries to install its own version of Telegram, which has been stored in the res/raw directory under the name su.apk.
“Anyone accessing sensitive information on their mobile device should be concerned about SonicSpy. The actors behind this family have shown that they're capable of getting their spyware into the official app store and as it's actively being developed, and its build process is automated, it's likely that SonicSpy will surface again in the future,” Lookout`s cybersecurity experts say.