Security researchers at Lookout have detected a new case of malware running rampant in the Google Play Store. Numerous apps have been found to have samples of a spyware named SonicSpy. As its name implies, this app can spy on your phone’s activity and execute remote commands. The app seems to be linked to a programmer based in Iraq. As of now, the apps have been removed from Google Play. Even though the apps were taken down from Google Play’s store, they are still circulating on third party app sites.
The threat actor created multiple malicious apps by using an open source messaging app called Telegram and embedding it with SonicSpy. The compromised messenger apps that have been detected recently in Google Play are Soniac, Troy Chat, and Hulk Messenger. Apps with the SonicSpy malware can record audio, send text messages, make calls, retrieve call logs, contacts, and WiFi access points. Furthermore, once installed the apps connects to a C&C server where the user can execute 73 supported commands.
This year there has seen a noticeable spike in the use of malware in smartphones, particularly for Android OS. There have been multiple instances of spyware and ransomware apps detected for the mobile OS. According to Dan Goodin from Ars Technica, this specific threat actor has created over 4000 spyware apps since February. While these three apps were recently detected on Google Play, over 1000 apps containing samples of SonicSpy have been detected in the wild. Further more it is still possible that more apps using SonicSpy are still undetected on Google Play.