Over a thousand spyware apps linked to an attacker believed to be based in Iraq have been identified by the researchers at Lookout. The samples all belong to the family of SonicSpy and have been growing in number since February with multiple managing to get into the Google Play Store. Google has since removed at least one of the apps due to the reports Lookout sent to them alerting of the malware presence.
The threat has been discovered after the analysis of the Lookout Security Cloud found spyware capabilities in the app, flagging it for manual review by the research team.
This sample of SonicSpy that was found on Google Play Store was called Soniac and was marketed as a messaging app. The app did provide this function by being a customized version of an app called Telegram, it also contained malicious capabilities that gave the attacker control over the device that has been targeted.
The app was able to silently record audio, make outbound calls, send text messages, take photos with the device’s camera, and collect information on wi-fi access points.
The overall SonicSpy family supports 73 different remote instructions, including those seen in the Soniac instance.
Once the app is installed, SonicSpy would remove the launcher icon and hide itself from the victim, make a connection to C2 infrastructure (arshad93.ddns[.]net:2222), and try to install its own custom version of Telegram that is stored in the res/raw directory and titled su.apk.
Testing SonicSpy’s malicious functionality was an almost straight forward process due to how client server communication has been achieved and can be promptly affirmed via DNS poisoning and running Netcat.
The samples that have been analyzed contained many similar components are SpyNote, which is another malware family on which first reports had been made in 2016. These indicate that the same attacker is behind both of these developments. The code similarities, regular use of dynamic DNS service and running on the non-standard 2222 port are some of the components the two families share. For SpyNote, the attacker used a desktop application to get the malicious code into the specific app so that a victim could still interact with the legitimate functionality of the trojanized apps. Some of the ways in which SonicSpy apps work indicate that the same automated-build process is used, but it still isn’t known which desktop tooling is being used.
The account that published Soniac, iraqwebservice, is the same that posted two other malware samples to the Play Store, though neither of them is still on the app market. It is yet to be discovered whether the developer themselves removed the app or it was Google who had done it. Cached Play Store pages of these apps, Hulk Messenger and Troy Chat, confirm they were once live and Lookout analysis found they contained the same functionality as other SonicSpy samples.
Anyone entering sensitive information on their mobile device should be worried about SonicSpy. The actors behind this family have shown that they’re capable of getting their spyware into the official app store and it is highly possible for another version of SonicSpy to show up again in the future.