Researchers from Mobile security firm Lookout say they found at least three Android Apps on the Google Play Store that contained a form of advanced spyware they believe was created by an Iraqi developer.
Experts say the malware author modified a version of the official Telegram Apps, injected the spyware code, rebranded it, and uploaded the modified app on the Play Store.
Three apps made it to the Play Store
In total, the crook uploaded the app three times on the Play Store under the names Soniac, Hulk Messenger, and Troy Chat. Only Soniac was active on Google’s app store when researchers first spotted the spyware, as the other two apps were already taken down, most likely by the developer himself.
At the time of writing, Lookout says they identified over 1,000 variations of this new spyware called SonicSpy, which they believe to be a new version of an older Android spyware named SpyNote.
Researchers believe the same developer created both spyware families. They base their theory on the fact that both apps used dynamic DNS services that ran on the non-standard port of 2222, and both were decompiled, injected with the malicious code, and recompiled with the same desktop utility, possibly part of a custom automated build system.
SonicSpy Supports a Vast Array of Malicious Actions
On infected devices, SonicSpy supports 73 different malicious actions in the form of instructions it receives from a remote server. Below is a summary of the most intrusive ones:
➥ silently record audio
➥ Silently take photos with available cameras
➥ Make outbound calls
➥ Send SMS messages
➥ Retrieve call logs
➥ Get data on WiFi access points
Users get infected by installing the app and granting it the permissions it needs to perform all its abusive actions. The apps are very hard to spot because they include a fully-working chat application, giving victims no reason to suspect they were infected.