According to an investigation conducted out by the researchers at Lookout, apps considering the malware can quietly record audio; take photos with the camera; make outbound calls; send text messages to attacker-particularized numbers; and recover call logs, contacts, and data about Wi-Fi access points.
“In fact, the malware has the capability to respond to over 73 different remote controls, indicating attackers can handle a victim’s device from remote through a command and control server,” said Michael Flossman, a security analyst at Lookout.
“Once unfortunately on the device, it gives the victim the sponsored messaging functionality while concurrently stealing data, making a false sense of trust with the victim.”
The most current example of SonicSpy noticed on the Play Store was named Soniac and was sold as a messaging app. While Soniac does give this functionality through a customized version of the communications app Telegram, it also includes malicious abilities that provide an intruder with significant control over a target device.
Upon the first install, SonicSpy will eliminate its launcher icon to hide from the victim, authorize a connection to the C2 infrastructure arshad93.ddns[.]net:2222, and try to install its own custom version of Telegram that is saved in the res/raw directory and titled su.apk.
“This kind of functionality should be extremely concerning to any party obtaining sensitive information in mobile devices, including enterprises,” said Flossman.
Lookout discovered that the record behind Soniac, Iraq Webservice, has also earlier posted two other SonicSpy samples to the Play Store, although both units are no longer live. “It’s unclear whether they were killed as a direct result of Google taking action or if the actor behind SonicSpy removed them in sequence to evade detection for as long as possible,” said Flossman.
He added that companies often send employees abroad for conferences, customer meetings, etc and while moving, employees use messaging apps to interact with coworkers and family back home. “Apps like SonicSpy capitalize on this by portraying to be trustworthy apps in well-known marketplaces,” he added.
“It’s clear that the malicious actors behind SonicSpy desired the app to persist on the victim’s device, so they performed surely to incorporate the functionality that the end user was expecting.”
Take your time to comment on this article.
