Sophos Cloud Optix
Thanks to Chen Yu, Rowland Yu and Ferenc László Nagy of SophosLabs for their behind-the-scenes work.
Android users have a new threat to be aware of: spyware apps that steal data from the devices they infect. Some samples made their way to Google Play, but the vast majority is coming from other online sources.
Researchers from SophosLabs and elsewhere have found three cases of SonicSpy-infused apps in Google Play: Soniac, Hulk Messenger, and Troy Chat – messaging apps that hide their spying functionality and await orders from command-and-control servers.
Google booted the apps from its store after they were discovered. Researcher Chen Yu said the Google Play versions had “tiny installation numbers and existed for a very short time”. Though three were found on Google Play, SophosLabs has counted 3,240 SonicSpy apps in the wild. Some reports place the number at 4,000.
According to multiple reports, a single bad actor – probably based in Iraq – has released these apps into the wild since February.
How it operates
The various SonicSpy-infused apps share the ability to:
- Silently record audio
- Take photos with the device’s camera
- Make outbound calls
- Send text messages to whatever phone numbers the attacker chooses
- Retrieve data from contacts, Wi-Fi hotspots and call logs
On the devices it infects, SonicSpy removes its launch icon to hide itself. It then connects to a control server on port 2222 of arshad93.ddns[.]net, according to Michael Flossman, a researcher from Lookout who first reported the spyware’s appearance.
Defensive measures
Sophos customers are protected from the SonicSpy apps, which are detected as Andr/HiddenAp-W, Andr/Axent-CY, Andr/FakeApp-BK and Andr/Xgen-Y.
The continued presence of malicious Android apps demonstrates the need to use an Android antivirus such as our free Sophos Mobile Security for Android.
By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.
In the bigger picture, the average Android user isn’t going to know what techniques the malware used to reach their device’s doorstep, but they can do much to keep it from getting in – especially when it comes to the apps they choose. To that end, here’s some more general advice:
- Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
- Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
- Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “better camera” and “higher-res screen”?
Can you recommend an avenue to force googles hand into notifying people that they have downloaded malware from their play store?
To get apps from the playstore, you must have a valid Email account , thus google has a record of what software you downloaded. It could be a fully automated system that Emails people when an app they downloaded is detected later as having malware, thus letting people know they are likely infucted.
I find it criminally negligent they don’t send notices. They know who you are and what you downloaded, once a file is been pinned as malicious, there’s no excuse for not notifying people.
That’s a great idea, and for another reason, too: At least one of those downloaders is probably the author. S/he’s got to test it, right?