August 11, 2017 by

Over 1000 Spyware Apps cluttering Android App Store

Over 1000 Spyware Apps were cluttered in Android App Store. The Google Play Store is swarming with thousands of malicious apps. An unknown hacker has figured out how to inject malware into third party app stores and the Google Play Store; this pay being injected has been dubbed SonicSpy.

It is believed the malware has spreading since last February and is being spread by disguising itself as a messaging app and offering messaging services. SonicSpy is a spyware that can audit everything the user does on their devices, such as recording phone calls or making phone calls without user’s consent.  It also records calls and audio from the microphone, takes pictures, and sends texts to numbers the attacker chooses. SonicSpy also steals user credentials such as calls logs or contacts, as well as having the ability to track the victim’s user’s location.

Discovered by security researchers at mobile security firm Lookout, is was uncovered that there were three versions of the SonicSpy-infected messaging app released in the official Google Play Store. The apps have been downloaded thousands of times already. The three versions include, ySoniac, Hulk Messenger, and Troy Chat, however, they have been removed from the Google Play Store. But the malware is still flooded throughout third-part app store along with other SonicSpy infected apps. Before its removal from the Google Play Store, there already between 1,000 and 5,000 downlades.

Sonaic disguised itself as a communications tool. Once installed, Soniac removes its launcher icon from the phone’s menu to hide itself. Then it connects to a command and control (C&C) server to install a altered form of Telegram app. Instead, the atatacker takes control of the malicious features of the app to take full control of the infected device and to spy on the user.

Lookout Security Research Services Technology Lead Michael Flossman stated:

“There are many indicators that suggest the same actor is behind the development of both. For example, both families share code similarities, regularly make use of dynamic DNS services,
and run on the non-standard 2222 port”.

Researchers believe the malware is connected to a developer based in Iraq and the attacker can execute 73 different remote instructions supported by the malware. Researchers believe this connections to Iraq because the name behind the developer account is listed as “iraqiwebservice”. As well as, various similarities between the SonicSpy and SpyNote. SpyNote was a malware believed to be written by an Iraqi hacker.

 

 

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

New Ransomware ‘Spider’ Threatens Wipeout in 96 Hours

A new strain of ransomware discovered by security researchers encrypts files and gives victims a...

Read more arrow_forward

Security Researchers Discover Trove of 1.4 Billion Credentials

Security researchers at dark web monitoring firm 4iQ have stumbled upon a massive 41GB data file of...

Read more arrow_forward

Gartner Research: Cybersecurity Spending to Hit $96 Billion in 2018

Gartner has predicted worldwide security spending to increase by 8% in 2018 to hit a staggering $96...

Read more arrow_forward