Security researchers have discovered a new spyware threat to Android devices. The attack, known as SonicSpy, was found in more than 1,000 apps including some that are available in the Google Play Store.
Researchers at mobile security firm Lookout spotted SonicSpy, a spyware threat that has been spreading aggressively across Android devices since February. The attack is believed to be related to a threat actor based in Iraq.
According to Lookout, SonicSpy carries a number of spying capabilities that could put victims of the attack at risk of having private information compromised and communications stolen.
SonicSpy is capable of silently recording audio from the microphone built into an infected device. It can also hijack the camera and snap photos, make outbound calls without the user’s permission and send text messages to numbers chosen by the attacker.
The spyware is also capable of stealing user information including call logs, contacts and details about Wi-Fi access points the device has connected to, which could be used to track the location of a user. Lookout reported the version of the spyware it sampled supported 73 different remote instructions that an attacker could execute on an infected device.
SonicSpy was spotted in more than 1,000 apps. Lookout theorized many of the apps were built through automated processes, allowing for a constant stream of new vehicles housing the infection to be pushed out.
Troublingly, some of those apps managed to bypass security measures implemented by Google and were made available through the Google Play Store—the official app marketplace from the maker of the Android operating system.
One of the apps housing SonicSpy while sitting in the Google Play Store was Soniac. Presented as a relatively standard messaging app, Soniac was a modified version of popular encrypted communications app Telegram.
Soniac didn’t amass many downloads—the Google Play Store estimated no more than 5,000 total installations for the app—but represented a significant threat for any user who did download the app or any of the other apps uploaded by the same developer.
An account called iraqwebservice was behind Soniac. According to Lookout, the developer uploaded at least two other apps that contained the malicious SonicSpy spyware, though neither app were active. The apps were Hulk Messenger and Troy Chat—both of which were messaging apps like Soniac.
Lookout said it disclosed all instances of apps containing SonicSpy to Google, and the search giant acted to remove the infected apps from the Google Play Store. Developer iraqwebservice no longer has any apps hosted in Google’s app marketplace.
Malicious software has become a problem for Google, which has tried to keep its own app store clean of any infected services. However, in the last two months the company has removed a number of apps that contained malware, including apps that were discovered to be stealing user text messages and hijacking communications on an infected device.