SonicSpy

SonicSpy is a variant of malware that has surfaced on the Google Play Store, masquerading as a messaging application. Although it does allow the user to message contacts as advertised, it also records audio, takes photos, makes phone calls, sends text messages, and retrieves data from contacts, WiFi hotspots, and call logs, all without alerting the user of its activities. According to Michael Flossman, a researcher from Lookout, SonicSpy removes its launch icon to hide itself on the infected devices, connects to the attacker’s C2 server on port 2222 of arshad93.ddns[.]net, and then installs a custom version of the Telegram app through via a file named su.apk.

Reporting

  • August 2017: SonicSpy: Over a thousand spyware apps discovered, some in Google Play (LookoutBlog)
  • August 2017: Thousands of Android-spying apps in the wild: what to do about SonicSpy (Sophos)