Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

SonicSpy Spyware Found in Over One Thousand Android Apps

Security researchers have found more than one thousand applications rigged with spyware over the past six months, including some distributed via Google Play.

Security researchers have found more than one thousand applications rigged with spyware over the past six months, including some distributed via Google Play.

The applications are part of the SonicSpy malware family and have been aggressively deployed since February 2017 by a threat actor likely based in Iraq, Lookout security researchers say. Google was informed on the malicious activity and has removed at least one of the offending apps from Google Play.

One sample found in Google Play was called Soniac and was posing as a messaging application. Although it does provide the advertised functionality by leveraging a customized version of the Telegram messaging app, the software also includes malicious components, Lookout says.

Once the malicious program has been installed on a device, its author is provided with “significant control” over that device. The overall SonicSpy family of malware includes support for 73 different remote instructions, yet only some are found in Soniac.

Among these, the security researchers mention the ability to silently record audio, an option to take photos with the camera, and the ability to make outbound calls. Additionally, the malware can send text messages to attacker-specified numbers and can retrieve information such as call logs, contacts, and information about Wi-Fi access points.

When executed, SonicSpy removes its launcher icon to hide itself from the victim, then attempts to establish a connection to the command and control (C&C) infrastructure (at arshad93.ddns[.]net). The malware also attempts to install its own custom version of Telegram, which it has stored in the res/raw directory under the name su.apk.

While analyzing the discovered samples, the security researchers found similarities with SpyNote, a malware family first detailed in mid-2016. Based on numerous indicators, the researchers suggest that the same actor is behind the development of both malware families.

According to Lookout, both SonicSpy and SpyNote share code similarities and both make use of dynamic DNS services, in addition to running on the non-standard 2222 port.

The SpyNote attacker, the researchers say, was using custom-built desktop software to inject malicious code into the Trojanized apps, thus allowing the victim to continue interacting with their legitimate functionality. The stream of observed SonicSpy apps suggests the actors behind it are using a similar automated-build process, yet the researchers haven’t recovered their desktop tooling until now.

Lookout also notes that the account behind Soniac, iraqwebservice, has previously posted two other SonicSpy samples to the Play Store, yet those are no longer live. Called Hulk Messenger and Troy Chat, the applications contained some functionality as other SonicSpy samples, but it’s unclear whether Google removed them or the actor behind them decided to remove them to evade detection.

“Anyone accessing sensitive information on their mobile device should be concerned about SonicSpy. The actors behind this family have shown that they’re capable of getting their spyware into the official app store and as it’s actively being developed, and its build process is automated, it’s likely that SonicSpy will surface again in the future,” the security researchers conclude.

Related: Fake Netflix App Takes Control of Android Devices

Related: Millions Download “System Update” Android Spyware via Google Play

Related: Android Spyware Snoops on Government, Military Security Job Seekers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.