Consumers are constantly being reminded to only download apps to their devices that have been thoroughly vetted and published on reputable marketplaces. However, a recent discovery by mobile security firm Lookout shows that even these sources aren’t infallible.
In a blog post published last week, researchers working for the firm found that a single threat actor has attempted to publish over 4,000 spyware apps since February 2017, with at least three of them making their way to the Google Play Store.
One of the apps, called Soniac, was marketed as a customizable communications program and was downloaded up to 5,000 times before Google removed it from the marketplace. The researchers found that the app was chock full of spyware capabilities, including the ability to record audio, make calls, send text messages, and retrieve contacts and other sensitive information.
Ars Technica reports that the other two apps – Hulk Messenger and Troy Chat – had been available on Google’s marketplace but had been removed earlier by either the company or the developer. The researchers say that the remaining 4,000+ malicious apps are still being distributed in alternative markets, and are being categorized as part of a malware family that Lookout calls “SonicSpy.”
“What’s commonly seen in all SonicSpy samples is that once they compromise a device they beacon to command and control servers and await instructions from the operator who can issue one of seventy three supported commands,” said Lookout researcher Michael Flossman. “The way this has been implemented is distinct across the entire SonicSpy family.”
What to do
The researchers say that once the SonicSpy apps have been downloaded, they will often remove their launcher icons to hide their presence on the device and establish a connection to the operator’s control server.
To avoid downloading one of these malicious apps, consumers are reminded to only install apps from trusted sources on trusted marketplaces. However, since at least some of these apps have made it onto Google’s marketplace, consumers are urged to exercise even more caution and to scrutinize any non-Google app sources, with the exception of Amazon’s official Android offerings.
"Anyone accessing sensitive information on their mobile device should be concerned about SonicSpy. The actors behind this family have shown that they're capable of getting their spyware into the official app store and as it's actively being developed, and its build process is automated, it's likely that SonicSpy will surface again in the future," the security researchers said.