August 11, 2017 by

Over 1000 Spyware Apps cluttering Android App Store

Over 1000 Spyware Apps were cluttered in Android App Store. The Google Play Store is swarming with thousands of malicious apps. An unknown hacker has figured out how to inject malware into third party app stores and the Google Play Store; this pay being injected has been dubbed SonicSpy.

It is believed the malware has spreading since last February and is being spread by disguising itself as a messaging app and offering messaging services. SonicSpy is a spyware that can audit everything the user does on their devices, such as recording phone calls or making phone calls without user’s consent.  It also records calls and audio from the microphone, takes pictures, and sends texts to numbers the attacker chooses. SonicSpy also steals user credentials such as calls logs or contacts, as well as having the ability to track the victim’s user’s location.

Discovered by security researchers at mobile security firm Lookout, is was uncovered that there were three versions of the SonicSpy-infected messaging app released in the official Google Play Store. The apps have been downloaded thousands of times already. The three versions include, ySoniac, Hulk Messenger, and Troy Chat, however, they have been removed from the Google Play Store. But the malware is still flooded throughout third-part app store along with other SonicSpy infected apps. Before its removal from the Google Play Store, there already between 1,000 and 5,000 downlades.

Sonaic disguised itself as a communications tool. Once installed, Soniac removes its launcher icon from the phone’s menu to hide itself. Then it connects to a command and control (C&C) server to install a altered form of Telegram app. Instead, the atatacker takes control of the malicious features of the app to take full control of the infected device and to spy on the user.

Lookout Security Research Services Technology Lead Michael Flossman stated:

“There are many indicators that suggest the same actor is behind the development of both. For example, both families share code similarities, regularly make use of dynamic DNS services,
and run on the non-standard 2222 port”.

Researchers believe the malware is connected to a developer based in Iraq and the attacker can execute 73 different remote instructions supported by the malware. Researchers believe this connections to Iraq because the name behind the developer account is listed as “iraqiwebservice”. As well as, various similarities between the SonicSpy and SpyNote. SpyNote was a malware believed to be written by an Iraqi hacker.



About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Fake SWIFT Service Emails Delivers Adwind Remote Access Trojan

An email phishing campaign has attempted to infect unsuspecting victims with the Adwind...

Read more arrow_forward

Tesla’s Cloud Account Hacked to Mine Cryptocurrency

Tesla’s cloud environment has been exploited by hackers who used the computational power to mine...

Read more arrow_forward

Snapchat Phishing Attack Swipes Credentials of Over 50,000 USers

Details have emerged on a phishing attack which saw hackers steal the credentials of over 50,000...

Read more arrow_forward