Security experts identified that the SonicSpy Android Spyware is being used to generate a lot of malicious apps for the mobile operating system. In several months time the hackers have been able to create over 1000 virus instances, some of which are spread on Google Play as well.
SonicSpy Android Malware Creates Its Own Army
Hackers are attempting to infect thousands of Android users with a new weapon ‒ the SonicSpy spyware. This is a malware family that has been under development for several months now and it has been used extensively to create malicious apps, some of them have also been identified on the Google Play store. The first instances associated with the threat were identified back in February 2017 when security experts came across a series of malware apps on Google Play. After Google was notified about the incident they were promptly removed. The name SonicSpy came from one of the application that were pushed to the victims called “Soniac”. It was marketed as a messaging app by implementing the Telegram client and applying a makeover. And while the users were being manipulated into thinking that their messages were secure, a malicious module was active on their Android devices that was able to cause a lot of serious security issues.
- Trojan Component – The SonicSpy Android Spyware is able to inject itself deep in the system and actively spy on the users. This includes recording audio with the built-in microphone, taking photos with the camera, making calls, monitoring of messages, call logs, contacts, settings and account credentials.
- Remote Control ‒ The attained infections can support hacker-controlled commands. The malware family supports 73 different instructions that can be directed to the infected hosts.
- Install Additional Malware ‒ The SonicSpy Android spyware is useful for installing other viruses.
The initial security analysis into the SonicSpy Android spyware shows that it bears a resemblance to another malware family known as “SpyNote”. The similarities were found in the application abilities to use a dynamic DNS service and run on the 2222 port. According to the researchers the SonicSpy are using an automated build process to create the various Android packages. At the time of removal from Google Play store it had been 1000 and 5000 times.
Impact of the SonicSpy Android Spyware
The identified SonicSpy Android spyware samples were found on the Google Play Store. Ever since the first instances were spotted the criminals behind the instances removed some of them on purpose to evade detection. Known apps that feature the code include Hulk Messenger and Troy chat.
Victims of the SonicSpy spyware may never know that malicious instances are found on their devices. However when the initial infection is done their sensitive information may be immediately downloaded to the hacker-controlled servers. The fact that the virus engine is able to inject itself deep into the devices makes it hard for the users to spot infections.
We expect to see new versions of the malware as the hackers behind it are using an automated build process which allows hundreds of different strains to be made in a matter of minutes. The ready templates are customized using configuration files. At the moment there is no information available about the identities of the criminal collective behind the virus samples. It is suspected that developers from Iraq are responsible for some of the variants associated with SonicSpy.
The security experts note that the fact that the apps have been able to infiltrate the Google Play Store and bypass the usual checks and measures makes it a very formidable threat to look out for. Carefully review all security permissions and comments before installing an application. Note that SonicSpy Android spyware strains can also be found in fake copies of famous software.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: