Thousands of Android-spying apps in the wild: what to do about SonicSpy

Thanks to Chen YuRowland Yu and Ferenc László Nagy of SophosLabs for their behind-the-scenes work.

Android users have a new threat to be aware of: spyware apps that steal data from the devices they infect. Some samples made their way to Google Play, but the vast majority is coming from other online sources.

Researchers from SophosLabs and elsewhere have found three cases of SonicSpy-infused apps in Google Play: Soniac, Hulk Messenger, and Troy Chat – messaging apps that hide their spying functionality and await orders from command-and-control servers.

Google booted the apps from its store after they were discovered. Researcher Chen Yu said the Google Play versions had “tiny installation numbers and existed for a very short time”. Though three were found on Google Play, SophosLabs has counted 3,240 SonicSpy apps in the wild. Some reports place the number at 4,000.

According to multiple reports, a single bad actor – probably based in Iraq – has released these apps into the wild since February.

How it operates

The various SonicSpy-infused apps share the ability to:

  • Silently record audio
  • Take photos with the device’s camera
  • Make outbound calls
  • Send text messages to whatever phone numbers the attacker chooses
  • Retrieve data from contacts, Wi-Fi hotspots and call logs

On the devices it infects, SonicSpy removes its launch icon to hide itself. It then connects to a control server on port 2222 of arshad93.ddns[.]net, according to Michael Flossman, a researcher from Lookout who first reported the spyware’s appearance.

Defensive measures

Sophos customers are protected from the SonicSpy apps, which are detected as Andr/HiddenAp-W, Andr/Axent-CY, Andr/FakeApp-BK and Andr/Xgen-Y.

The continued presence of malicious Android apps demonstrates the need to use an Android antivirus such as our free Sophos Mobile Security for Android.

By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.

In the bigger picture, the average Android user isn’t going to know what techniques the malware used to reach their device’s doorstep, but they can do much to keep it from getting in – especially when it comes to the apps they choose. To that end, here’s some more general advice:

  • Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
  • Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
  • Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “better camera” and “higher-res screen”?