Researchers have identified over 1,000 spyware-infested apps capable of recording audio and snooping on call logs, contacts, and more.
Three such apps made their way into Google Play; they have since been removed. The rest appeared on third-party Android app stores, Lookout Security details in a blog post.
The malware in question, SonicSpy, appears to have originated in Iraq, Lookout says. It was unleashed in February, and showed up in Google Play via three messaging apps: Hulk Messenger, Troy Chat, and Soniac.
Soniac is a “customized version of the communications app Telegram, [which] contains malicious capabilities that provide an attacker with significant control over a target device,” writes Michael Flossman, Security Research Services Tech Lead at Lookout.
“This includes the ability to silently record audio, take photos with the camera, make outbound calls, send text messages to attacker specified numbers, and retrieve information such as call logs, contacts, and information about Wi-Fi access points,” Flossman says. When installed, “SonicSpy will remove its launcher icon to hide itself from the victim.”
Google removed Soniac after Lookout reported it; Hulk Messenger and Troy Chat were also removed from Google Play, but it’s unclear if Google deleted them “or if the actor behind SonicSpy removed them in order to evade detection for as long as possible,” Flossman says.
Lookout says SonicSpy is similar to SpyNote, another strain of malware from mid-2016. “Both families share code similarities, regularly make use of dynamic DNS services, and run on the non-standard 2222 port,” Lookout says.
“This kind of functionality should be highly concerning to any party accessing sensitive information through mobile devices, including enterprises,” Lookout says in a separate blog post.
“Enterprises often send employees overseas for conferences, customer meetings, etc and while traveling, employees use messaging apps to communicate with coworkers and family back home,” Lookout warns. “Apps like SonicSpy capitalize on this by pretending to be trustworthy apps in well-known marketplaces.”