A group of security researchers from security firm Lookout discovered three Android apps on the Google Play Store that contained a kind of advanced spyware, they think it was built by an Iraqi developer.
It seems that the malware creator modified a version of the official Telegram app, injected the spyware code, rebranded it, and uploaded the modified app on the Play Store.
The hackers were able to upload the app three times on the Play Store with the names Soniac, Hulk Messenger, and Troy Chat. The first app (Soniac) only was alive on Google’s play store, the other two apps were not active, most likely by the author himself.
According to researchers:
“Lookout researchers have identified over a thousand spyware apps related to a threat actor likely based in Iraq. Belonging to the family “SonicSpy,” these samples have been aggressively deployed since February 2017, with several making their way onto the Google Play Store. Google removed at least one of the apps after Lookout alerted the company.”“While Soniac does provide this functionality through a customized version of the communications app Telegram, it also contains malicious capabilities that provide an attacker with significant control over a target device. “
The spyware has the ability to silently record audio, take photos with the camera, perform outbound calls, send text messages to attacker specified numbers, and retrieve information such as call logs, contacts, and information about Wi-Fi access points.