Thursday, 21 September, 2017

Spyware was found in 100+ phone apps, did you download one?

SonicSpy: Over a thousand spyware apps discovered, some in Google Play - Lookout Blog - Lookout Security Researchers report >4000 apps that secretly record audio and steal logs
Sherri Watson | 14 August, 2017, 23:51

"The actors behind this family have shown that they're capable of getting their spyware into the official app store and as it's actively being developed, and its build process is automated, it's likely that SonicSpy will surface again in the future". Users should also avoid installing Google Play apps of questionable value or utility, particularly when they have few downloads.

At least three variants of SonicSpy hiding in apps from Google Play have been intercepted recently by security researchers at Lookout.

It is rather surprising that the apps made their way to the Google Play Store after Google's recent efforts to identify and remove the suspicious malware apps from its app store using Artificial Intelligence. Even if some rumors stated that it might take a while until the feature will be visible for the users, at the moment the Google Play Protect is available on Google Play Store. The apps have since been removed, but not before they were downloaded thousands of times. For instance, there's still a listing for Soniac on a site called App Geyser.

Though the infected apps are now removed from Google, various types of malware, still including SonicSpy, is alive among apps offered through third parties. It then connects to a control server on port 2222 of arshad93.ddns [.] net, according to Michael Flossman, a researcher from Lookout who first reported the spyware's appearance.

All Lookout customers are protected from this threat.

The account behind Soniac, iraqwebservice, has also previously posted two other SonicSpy samples to the Play Store, although both samples are no longer live.

The version of SonicSpy found on the Google Play Store is called Soniac and it was touted as a messaging app. In the case of SpyNote, the attacker used a custom-built desktop application to inject malicious code into specific apps so that a victim could still interact with the legitimate functionality of the trojanized apps.

Last month, users were warned to be on the lookout for a new type of ransomware that can secretly record you.

As well as capturing audio and video clips, the malware locks a the device's screen and resets the password, making it ideal for ransoming infecting users.