Detect more than 1,000 spy applications on Android App Stores

Someone tried to upload a third-party app store and Google Play Store thousands of tainted apps, which can monitor almost every user activity on a mobile phone by recording calls silently, create an external call without the user having to do anything.

Called SonicSpy, spyware (spyware) has spread throughout Android app stores since at least February by pretending to be a messaging app - although it does indeed offer messaging services.

SonicSpy can perform many poisoning tricks

At the same time, SonicSpy spy applications can perform many tasks, including silently recording calls and sounds from the microphone, device hijack and snap photos, making external calls (outbound) without requires user permission, sends a message to the number that the attacker chooses.

In addition, SonicSpy also steals user information such as call history, contacts, information about Wi-Fi hotspots that the device connects to, which can easily track the location of the person. use.

This Spyware was discovered by security researchers at mobile security company Lookout. They also found three versions of messaging applications affected by SonicSpy on the official Google Play Store store and have been downloaded thousands of times.

The application is available on the official Play Store but is still poisoned

Although suspicious applications - Soniac, Hulk Messenger and Troy Chat - have been removed from the Store, they are still widely available on third-party stores and other SonicSpy infected applications.

Iraq's connection to SonicSpy spyware

The researchers believe that the malware is related to developers in Iraq and that in total, the SonicSpy malware family supports up to 73 remote instructions for an attacker to execute on an infected Android phone.

Iraq's connection to spyware stems from the similarity between SonicSpy and SpyNote, another Android malware discovered in July 2016 that is a Netflix application and supposedly written by Iraqi hackers.

'There are many signs that the hands behind both are the same director. For example, both have the same code, often using dynamic DNS translation, running port 2222 is not standard, 'said Michael Flossman from Lookout.

Importantly, the name of the developer account behind Soniac on Google Play Store is also iraqiwebservice.

How does SonicSpy Spyware work?

One of SonicSpy's messaging apps on Google Play Store is Soniac. When installed, it will remove the launcher icon from the phone list to hide and connect to the C&C server to try to install the edited version of the Telegram application.

However, the application is really malicious when it allows an attacker to completely control the device, turn it into a spy tool, silently record calls, make calls, images, retrieve data personal.

Before being deleted by Google, it was downloaded between 1,000 and 1,500 times, but since it is one of 1,000 variants, the malware can affect more. SonicSpy can return to Play Store

Although SonicSpy-infected applications have been removed from the Play Store, researchers warn that it may return to a developer account and other application interfaces.

'The malware family behind it shows that they can put spyware in the official app store and be actively developed, the build process is automated, maybe SonicSpy can come back in the future.'

Although Google has introduced many security measures to prevent malicious applications, they still find ways to insert into Play Store.

How to protect yourself from malware

The easiest way is to keep an eye on suspicious applications, even when downloading from Google Play Store and trusting only big names. Also, always read the user review that downloaded the application and verify the application before installing, only empowering related to the purpose of the application.

Do not download applications from third party sources because even though distributed through the official Play Store, most victims are infected with malware through untrusted applications. Finally, don't forget to use anti-virus software to detect and block malware and regularly update devices and applications.