Over 1000 Spyware Apps cluttering Android App Store

Over 1000 Spyware Apps were cluttered in Android App Store. The Google Play Store is swarming with thousands of malicious apps. An unknown hacker has figured out how to inject malware into third party app stores and the Google Play Store; this pay being injected has been dubbed SonicSpy.

It is believed the malware has spreading since last February and is being spread by disguising itself as a messaging app and offering messaging services. SonicSpy is a spyware that can audit everything the user does on their devices, such as recording phone calls or making phone calls without user’s consent.  It also records calls and audio from the microphone, takes pictures, and sends texts to numbers the attacker chooses. SonicSpy also steals user credentials such as calls logs or contacts, as well as having the ability to track the victim’s user’s location.

Discovered by security researchers at mobile security firm Lookout, is was uncovered that there were three versions of the SonicSpy-infected messaging app released in the official Google Play Store. The apps have been downloaded thousands of times already. The three versions include, ySoniac, Hulk Messenger, and Troy Chat, however, they have been removed from the Google Play Store. But the malware is still flooded throughout third-part app store along with other SonicSpy infected apps. Before its removal from the Google Play Store, there already between 1,000 and 5,000 downlades.

Sonaic disguised itself as a communications tool. Once installed, Soniac removes its launcher icon from the phone’s menu to hide itself. Then it connects to a command and control (C&C) server to install a altered form of Telegram app. Instead, the atatacker takes control of the malicious features of the app to take full control of the infected device and to spy on the user.

Lookout Security Research Services Technology Lead Michael Flossman stated:

“There are many indicators that suggest the same actor is behind the development of both. For example, both families share code similarities, regularly make use of dynamic DNS services,
and run on the non-standard 2222 port”.

Researchers believe the malware is connected to a developer based in Iraq and the attacker can execute 73 different remote instructions supported by the malware. Researchers believe this connections to Iraq because the name behind the developer account is listed as “iraqiwebservice”. As well as, various similarities between the SonicSpy and SpyNote. SpyNote was a malware believed to be written by an Iraqi hacker.