Spyware found in more than 1,000 apps in Google Play store
Spyware found in more than 1,000 apps in Google Play store

According to a blog post by security researchers at Lookout, more than a thousand apps on Google Play contain a new spyware family called SonicSpy. According to analysis carried out by the researchers, apps harbouring the malware can silently record audio; take photos with the camera; make outbound calls; send text messages to attacker-specified numbers; and retrieve call logs, contacts, and information about Wi-Fi access points.

“In fact, the malware has the ability to respond to over 73 different remote commands, meaning attackers can manipulate a victim's device from afar through a command and control server,” said Michael Flossman, security analyst at Lookout.

“Once successfully on the device, it provides the victim the advertised messaging functionality while simultaneously stealing data, building a false sense of trust with the victim.”

The most recent example of SonicSpy found on the Play Store, was called Soniac and was marketed as a messaging app. While Soniac does provide this functionality through a customised version of the communications app Telegram, it also contains malicious capabilities that provide an attacker with significant control over a target device. 

Upon first execution SonicSpy will remove its launcher icon to hide itself from the victim, establish a connection to C2 infrastructure (arshad93.ddns[.]net:2222), and attempt to install its own custom version of Telegram that is stored in the res/raw directory and titled su.apk.

“This kind of functionality should be highly concerning to any party accessing sensitive information through mobile devices, including enterprises,” said Flossman.

Lookout found that the account behind Soniac, iraqwebservice, has also previously posted two other SonicSpy samples to the Play Store, although both samples are no longer live. “It's unclear whether they were removed as a direct result of Google taking action or if the actor behind SonicSpy removed them in order to evade detection for as long as possible,” said Flossman.

He added that enterprises often send employees overseas for conferences, customer meetings, etc and while traveling, employees use messaging apps to communicate with coworkers and family back home. “Apps like SonicSpy capitalise on this by pretending to be trustworthy apps in well-known marketplaces,” he added.

“It's clear that the malicious actor(s) behind SonicSpy wanted the app to persist on the victim's device, so they made sure to incorporate the functionality that the end user was expecting.”

“It only takes one threat in an enterprise to cause significant damage. For example, many enterprises must comply with government or industry regulations that, when violated, could result in expensive fines,” he said.

Chris Doman, security researcher at AlienVault, told SC Media UK that Google employs automated scanning techniques such as sandboxing new apps. However, there are millions of apps in the Google Play store and it can be very difficult to differentiate between a legitimate app that requires remotely accessing a phone and a malicious one.

“In this case, LookOut identified the app by employing some malware hunting methods that were different to how Google operates,” he said. “These compromised apps allow the attackers to record calls and video of targets. Additionally, stolen credentials could be used in attacks against further systems.”

He added that Google's new Google Play Protect service aims to detect malware such as this, though it's not clear if it worked in this instance. “Organisations can restrict users to only downloading from the official Google Play store.”

Chris Boyd, lead malware intelligence analyst at Malwarebytes, told SC Media UK that the app in question looks like familiar programmes to the uninitiated, but performs multiple intrusive tasks behind the scenes. “The biggest issue here is potential data leakage for organisations big and small, though home users wouldn't want their information compromised in this fashion either,” he said.

“If someone had a rogue app installed, it's down to IT to work with the victim and discover exactly what information was available on the device. A client list of mobile contacts may not matter to one company, but it may be the lifeblood of another. By the same token, sensitive conversations captured by voice recording could be devastating. In both cases, proactive measures are the only real solution as once the data is out in the wild, the damage is done.”