An information security firm has discovered the presence of malware in more than a thousand mobile apps for the Android operating system. According to Lookout Security, the malware shares many features and characteristics with SonicSpy, a type of Android malware developed for the purpose of snooping on smartphone users.
One of the Android apps singled out by Lookout Security is called Soniac, which is offered as a mobile instant messenger similar to WhatsApp or Telegram; in fact, researchers believe that Soniac was developed on top of the Telegram software architecture.
When smartphone users install Soniac or other apps infected with SonicSpy, their call logs are transmitted to a remote server managed by malicious hackers. On Android installations that have been modified to grant root access, Soniac may allow a remote attacker to take control of the device. Voice calls may be captured without users becoming aware that they are being recorded, and text messages may also be sent surreptitiously as invitations to download Soniac.
Existence of the SonicSpy malware was first detected in February; back then, the infection was limited to a handful of apps. Since that time, SonicSpy seems to have proliferated by means of widespread app marketing. Some of the apps infected with SonicSpy can be installed from the Google Play store, which makes them even more dangerous to smartphone and tablet users. As of August 2017, Google had removed some of the apps in question from the Play store.
In the beginning, Lookout researchers noticed that SonicSpy was similar to SpyNote, a type of Android malware that was initially detected in 2016. Another aspect of SonicSpy is that it appears to use servers located in Iraq.
Google has previously removed two apps known to contain SonicSpy: one was named Troy Chat and the other was Hulk Messenger. A specific concern mentioned by infosec researchers is that the cybercrime groups working with SonicSpy have been able to bypass the security measures of the Google Play store; moreover, the apps that they develop to spread the malware are not only polished but they also enjoy significant marketing.
The SonicSpy malware can also spread through a Trojan horse process that begins with a clean installation that is later subject to an automatic update; this is when the malware is injected. Users of these apps do not suspect anything because they are still able to use the features they expected from the app when they first installed it.