Lookout researchers have identified over a thousand spyware apps related to a threat actor likely based in Iraq. Belonging to the family “SonicSpy,” these samples have been aggressively deployed since February 2017, with several making their way onto the Google Play Store. Google removed at least one of the apps after Lookout alerted the company.
We discovered this threat after the Lookout Security Cloud analysis stack identified the spyware capabilities, flagging the app to our research team for manual review.
All Lookout customers are protected from this threat.
What it does
The sample of SonicSpy most recently found on the Play Store, called Soniac, is marketed as a messaging app. While Soniac does provide this functionality through a customized version of the communications app Telegram, it also contains malicious capabilities that provide an attacker with significant control over a target device.
This includes the ability to silently record audio, take photos with the camera, make outbound calls, send text messages to attacker specified numbers, and retrieve information such as call logs, contacts, and information about Wi-Fi access points.
The overall SonicSpy family supports 73 different remote instructions, including those seen in the Soniac instance.
Upon first execution SonicSpy will remove its launcher icon to hide itself from the victim, establish a connection to C2 infrastructure (arshad93.ddns[.]net:2222), and attempt to install its own custom version of Telegram that is stored in the res/raw directory and titled su.apk.
Learn why this kind of functionality should be highly concerning to enterprises, especially those sending employees overseas.
Determining the functionality
Testing SonicSpy’s malicious functionality was a relatively straight forward process due to how client server communication has been implemented and can be quickly confirmed via DNS poisoning and running netcat.
Running netcat on port 2222 where the DNS record for arshad93.ddns[.]net has been locally poisoned allows us to interact directly with an infected device. Via the A0 command it is possible to retrieve basic device information, followed by call logs (A1), wifi access points (A7), clipboard data (A20), record surrounding audio (A29), before stopping audio recording and retrieving the audio as base64 encoded data (A30).
Analysed samples were found to contain many similarities to SpyNote, another malware family that was first reported on in mid 2016. There are many indicators that suggest the same actor is behind the development of both. For example, both families share code similarities, regularly make use of dynamic DNS services, and run on the non-standard 2222 port. In the case of SpyNote, the attacker used a custom-built desktop application to inject malicious code into specific apps so that a victim could still interact with the legitimate functionality of the trojanized apps. Due to the steady stream of SonicSpy apps it seems likely that the actors behind it are using a similar automated-build process, however their desktop tooling has not been recovered at this point in time.
The account behind Soniac, iraqwebservice, has also previously posted two other SonicSpy samples to the Play Store, although both samples are no longer live. It’s unclear whether they were removed as a direct result of Google taking action or if the actor behind SonicSpy removed them in order to evade detection for as long as possible. Cached Play Store pages of these apps, Hulk Messengerand Troy Chat, confirm they were once live and our analysis found they contained the same functionality as other SonicSpy samples.
Cached web content of hulk messenger and troy chat that were also live on the Play Store.
Anyone accessing sensitive information on their mobile device should be concerned about SonicSpy. The actors behind this family have shown that they’re capable of getting their spyware into the official app store and as it’s actively being developed, and its build process is automated, it’s likely that SonicSpy will surface again in the future.