August 11, 2017 by

Over 1000 Spyware Apps cluttering Android App Store

Over 1000 Spyware Apps were cluttered in Android App Store. The Google Play Store is swarming with thousands of malicious apps. An unknown hacker has figured out how to inject malware into third party app stores and the Google Play Store; this pay being injected has been dubbed SonicSpy.

It is believed the malware has spreading since last February and is being spread by disguising itself as a messaging app and offering messaging services. SonicSpy is a spyware that can audit everything the user does on their devices, such as recording phone calls or making phone calls without user’s consent.  It also records calls and audio from the microphone, takes pictures, and sends texts to numbers the attacker chooses. SonicSpy also steals user credentials such as calls logs or contacts, as well as having the ability to track the victim’s user’s location.

Discovered by security researchers at mobile security firm Lookout, is was uncovered that there were three versions of the SonicSpy-infected messaging app released in the official Google Play Store. The apps have been downloaded thousands of times already. The three versions include, ySoniac, Hulk Messenger, and Troy Chat, however, they have been removed from the Google Play Store. But the malware is still flooded throughout third-part app store along with other SonicSpy infected apps. Before its removal from the Google Play Store, there already between 1,000 and 5,000 downlades.

Sonaic disguised itself as a communications tool. Once installed, Soniac removes its launcher icon from the phone’s menu to hide itself. Then it connects to a command and control (C&C) server to install a altered form of Telegram app. Instead, the atatacker takes control of the malicious features of the app to take full control of the infected device and to spy on the user.

Lookout Security Research Services Technology Lead Michael Flossman stated:

“There are many indicators that suggest the same actor is behind the development of both. For example, both families share code similarities, regularly make use of dynamic DNS services,
and run on the non-standard 2222 port”.

Researchers believe the malware is connected to a developer based in Iraq and the attacker can execute 73 different remote instructions supported by the malware. Researchers believe this connections to Iraq because the name behind the developer account is listed as “iraqiwebservice”. As well as, various similarities between the SonicSpy and SpyNote. SpyNote was a malware believed to be written by an Iraqi hacker.



About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Microsoft’s Secret Bug Database was Hacked in 2013

Technology giant Microsoft never disclosed a major breach of its internal database tracking bugs, a...

Read more arrow_forward

Hotel Chain Hyatt Announces Second Breach in 2 Years

Hyatt has announced that its payment systems were breached, exposing credit card details from 41...

Read more arrow_forward

IRS Suspends Equifax Contract after Data Breach

The IRS has reportedly suspended the $7.2 million no-bid contract awarded to Equifax to verify the...

Read more arrow_forward