Security researchers from Lookout are warning about raft of spyware-infected apps that have been found in Google Play. Seemingly connected to Iraq, more than a thousand apps hve been found to include SonicSpy spyware.
The spyware is embedded in a variety of legitimate-looking apps, such as messaging tools based on Telegram. One such example is an app called Soniac which was found to be capable of not only recording audio and retrieving contacts, but also taking photos and gathering phone logs. Lookout warns that SonicSpy is sneaky, and tries to hide from users to avoid detection.
The first time the malicious app runs, it hides its own icon as a means of evading detection. It can then work away in the background, communicating a remote server. The spyware is known to have been active since at least February this year, but it bears similarities to SpyNote from last year.
Lookout describes what the spyware is capable of:
The sample of SonicSpy most recently found on the Play Store, called Soniac, is marketed as a messaging app. While Soniac does provide this functionality through a customized version of the communications app Telegram, it also contains malicious capabilities that provide an attacker with significant control over a target device.
This includes the ability to silently record audio, take photos with the camera, make outbound calls, send text messages to attacker specified numbers, and retrieve information such as call logs, contacts, and information about Wi-Fi access points.
The overall SonicSpy family supports 73 different remote instructions, including those seen in the Soniac instance.
Lookout reported its findings to Google and Soniac and two other apps -- Hulk Messenger and Troy Chat -- were removed from the Play Store. Iraq has been identified as the probable source of the malware due to the simple fact that the developer account associated with the software is called iraqwebservice, and there are references to "Iraqian Shield" in the code.