The Google Play Store had been found to have three versions of spyware dubbed SonicSpy, according to security research firm Lookout. About 1,000 malware samples were also developed by the attacker, who was able to dump them in third-party Android app stores.
Google Play Store gets infected apps
Attackers can deploy the SonicSpy spyware to get control of affected devices. Once the spyware is activated, it can record audio, take pictures, make phone calls, retrieve call logs, send text messages, and get information about the Wi-Fi access points used by the device.
The infected apps that are available in the Google Play Store include Soniac Messenger, Troy Chat, and Hulk Messenger. Soniac Messenger was downloaded between 1,000 and 5,000 times, according to threatpost.com. Although there is no trace of the three apps in the Play Store now, it is not clear whether Google took the corrective step or whether the developer removed them.
Lookout’s Michael Flossman used DNS poisoning and netcat to analyze the apps’ client server communications. Flossman and his colleagues found that the spyware comes powered by 73 different remote instructions. The team also discovered that the developer is probably based in Iraq. The researchers also suggested that SonicSpy might not be the only creation from the notorious developer.
Flossman stated that there are various similarities between SpyNote and SonicSpy, such as the fact that both versions of malware have similar codes, use dynamic DNS service on a regular basis, and run on the non-standard 2222 port. For SpyNote, the attacker used a custom-built desktop application to put the malicious code in the affected apps in a way that the victim could interact with the legitimate functionality of the Trojanized apps.
“Due to the steady stream of SonicSpy apps it seems likely that the actors behind it are using a similar automated-build process, however their desktop tooling has not been recovered at this point in time,” the researcher said.
According to KCRA, to avoid SonicSpy, Android users should refrain from downloading apps from unknown sources. Additionally, before downloading, they should also go through the user reviews, as suspicious apps will have low ratings.
Is Google doing enough?
Google has long been talking about the relative success it achieved in taking out apps that contain Trojan viruses and/ or that contain backdoors. In March, the company claimed that only 0.05% of Android devices downloaded malicious apps from Google Play last year. Recently, the company talked about its artificial intelligence measures aimed at addressing the problems of the Play Store. However, despite these measures, spyware and malware continue to pour into the Play Store.
In May, researchers unearthed the malware that made its way through more sophisticated apps, the “Judy” series of cooking and lifestyle games, which outsmarted Google’s screening process. Now the SonicSpy episode suggests that Google needs to increase its surveillance measures in the Play Store further.
According to an estimate, about 1.3 billion to 1.4 billion people use Android phones, giving attackers more reason to dump malware in the Play Store than in Apple’s App Store for iOS-based devices. Google’s OS is also more open and adaptable, and therefore, it is easier to infiltrate than Apple’s mobile OS is.