Spyware called SonicSpy was detected in three messaging applications in the Google-owned store Google Play. It was reported that SonicSpy also infected over 1,000 other applications presented in third party app stores.
Lookout uncovered the culprit – a developer from Iraq, known as IraqWebService. Researchers at Lookout are not sure for how long the malware was accessible on Google Play. However, one of the infected apps, called Soniac Messenger, has been downloaded onto the victims’ devices 1,000-5,000 times.
There are three messaging apps that contained the spyware – Soniac Messenger, Troy Chat and Hulk Messenger. All of them were available on Google Play. 1,000 other infected applications were analogs for well-known apps like Netflix, Pokémon Go or Clash Royale.
The Soniac Messenger application also was a customized version of the popular messaging app – Telegram.
Google was informed about the spyware-infected Soniac on July 7 and immediately removed it from the Google Play, followed by Hulk messenger and Troy Chat applications, which were also deleted from the store. However, it is unknown who exactly removed these two apps – Google or the developer.
The spyware is highly aggressive and can cause a lot of damage. According to the research at Lookout, Michael Flossman, SonicSpy is capable to maneuver an infected device with 73 remote directions. The spyware can access the camera, call logs, contacts, Di Fi data and other personal and important information. M. Flossman also added: “Upon first execution SonicSpy will remove its launcher icon to hide itself from the victim and establish a connection to C2 infrastructure (arshad93.ddns[.]net:2222)”.
Furthermore, “Running Netcat on port 2222 where the DNS record for arshad93.ddns[.]net has been locally poisoned and allows us to interact directly with an infected device”. SonicSpy’s features combine transmit commands, thus it made it possible to restore call logs, audio and/or video records, clipboard information that the hacker created while executing the device.
Interestingly, SonicSpy also used the Bind Accessibility Services that empowered it to record text descriptions of the users’ mobile usage, according to M. Flossman. Accessibility Service allows hackers to be notified when a victim receives a message and enables them to read it on any Android device.Flossman has been tracing the spyware since February, 2017, and notes, that SonicSpy combines similar features as another spyware – SpyNote.
Spynote, much like SonicSpy, was established to lure consumers by assuring them that they are downloading a legitimate app. Just after the installation, SpyNote takes control of the device and copies files, eavesdrops on the victim, and more.
According to Lookout, there is not much information about the developer IraqWebService. The only information available is that the developer is based in Iraq and possibly has published these apps in order to attack small groups of individuals in the Middle East.