According to security researchers, a single attacker has made 4,000 spyware apps suitable for Android since February of this year, at least three of which made their way into Google’s official Play Store.
One of the three apps that snuck their way into the app store was Soniac, as told in a blog post by a security researcher from Lookout this Thursday. The app managed to get downloaded between a thousand and five thousand times prior to Google taking it off the market, and it offered messaging functions via customized version of the Telegram communications program. While the user was being tricked by the messaging functions, the app was running in the background and did anything from recording audio, make calls, send text messages, collect call logs, contacts, as well as the info on the wi-fi access points. Once Lookout reported the app as malicious, Google took it off the market.
The other two apps that have been found to have the malware hidden in them, Hulk Messenger and Troy Chat, were also downloadable from Google Play, but since then removed, too. It is yet to be discovered if the developer withdrew them or Google took them off once they found out of their malicious properties. The remaining apps, the all 4,000 of them, are being distributed through other channels. A researcher from Lookout, Michael Flossman said that those other channels might include alternative app markets or phishing text messages that have a download link. The apps are all part of a malware family Lookout calls SonicSpy.
Flossman said in an email that one thing that connects all SonicSpy samples is that once they compromise a device they beacon to command and control servers and wait for instructions from the operator who can issue one of seventy-three supported commands. This is something that is common for all the SonicSpy apps.
When you install the app, SonicSpy will remove the launcher icon in order to hide their presence and then connect to the control server located on port 2222 of arshad93.ddns[.]net.
Flossman also said that SonicSpy has similarities to another malware app family known as SpyNote, reported last year by the security firm Palo Alto Networks. Developer’s account name, iraqwebservice and some of the components found in apps’ code lead us to believe that the developer is based in Iraq. Not only that, but much of the domain infrastructure connected to SonicSpy references the country in question. The phrase “Iraqian Shield” appears constantly. Lookout will continue to follow leads that suggest the developer is based in that part of the world.
This report by Lookout’s researchers is just another reminder that there are many risks of downloading apps from third-party markets, but they also speak volumes about Google Play not being as big of a guarantee that an app is safe. Android users should be wary of any non-Google app sources with the exception of Amazon’s Android offerings. Users should also avoid installing Google Play apps of questionable value or utility, particularly when they have few downloads.