Connect with us

Hi, what are you looking for?


Malware & Threats

SonicSpy Spyware Found in Over One Thousand Android Apps

Security researchers have found more than one thousand applications rigged with spyware over the past six months, including some distributed via Google Play.

Security researchers have found more than one thousand applications rigged with spyware over the past six months, including some distributed via Google Play.

The applications are part of the SonicSpy malware family and have been aggressively deployed since February 2017 by a threat actor likely based in Iraq, Lookout security researchers say. Google was informed on the malicious activity and has removed at least one of the offending apps from Google Play.

One sample found in Google Play was called Soniac and was posing as a messaging application. Although it does provide the advertised functionality by leveraging a customized version of the Telegram messaging app, the software also includes malicious components, Lookout says.

Once the malicious program has been installed on a device, its author is provided with “significant control” over that device. The overall SonicSpy family of malware includes support for 73 different remote instructions, yet only some are found in Soniac.

Among these, the security researchers mention the ability to silently record audio, an option to take photos with the camera, and the ability to make outbound calls. Additionally, the malware can send text messages to attacker-specified numbers and can retrieve information such as call logs, contacts, and information about Wi-Fi access points.

When executed, SonicSpy removes its launcher icon to hide itself from the victim, then attempts to establish a connection to the command and control (C&C) infrastructure (at arshad93.ddns[.]net). The malware also attempts to install its own custom version of Telegram, which it has stored in the res/raw directory under the name su.apk.

While analyzing the discovered samples, the security researchers found similarities with SpyNote, a malware family first detailed in mid-2016. Based on numerous indicators, the researchers suggest that the same actor is behind the development of both malware families.

Advertisement. Scroll to continue reading.

According to Lookout, both SonicSpy and SpyNote share code similarities and both make use of dynamic DNS services, in addition to running on the non-standard 2222 port.

The SpyNote attacker, the researchers say, was using custom-built desktop software to inject malicious code into the Trojanized apps, thus allowing the victim to continue interacting with their legitimate functionality. The stream of observed SonicSpy apps suggests the actors behind it are using a similar automated-build process, yet the researchers haven’t recovered their desktop tooling until now.

Lookout also notes that the account behind Soniac, iraqwebservice, has previously posted two other SonicSpy samples to the Play Store, yet those are no longer live. Called Hulk Messenger and Troy Chat, the applications contained some functionality as other SonicSpy samples, but it’s unclear whether Google removed them or the actor behind them decided to remove them to evade detection.

“Anyone accessing sensitive information on their mobile device should be concerned about SonicSpy. The actors behind this family have shown that they’re capable of getting their spyware into the official app store and as it’s actively being developed, and its build process is automated, it’s likely that SonicSpy will surface again in the future,” the security researchers conclude.

Related: Fake Netflix App Takes Control of Android Devices

Related: Millions Download “System Update” Android Spyware via Google Play

Related: Android Spyware Snoops on Government, Military Security Job Seekers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.