Ad Home

Many App Are Infected With SonicSpy Spyware App (Android Malware)

Many App Are Infected With SonicSpy Spyware App (Android Malware)




Google Playstore is one of the best Platform to download android app . But some time many hacker are use PlayStore to target user's Phone for hacking and installing malware and viruses . That time those hacker are publish Malware on playstore , When the user has install this app on his phone there phone have infected by Those Dangeraus App .





However, according to LookOut’s cyber security researchers and  investigation conducted in the past six months, over a thousand applications have been infected with spyware, and some of them are being distributed through Google Play. These infected applications are part of malware family called SonicSpy, which includes support for about 73 different remote instructions.

This App apps considering the malware can quietly record audio; take photos with the camera; make outbound calls; send text messages to attacker-particularized numbers; and recover call logs, contacts, and data about Wi-Fi access points.“In fact, the malware has the capability to respond to over 73 different remote controls, indicating attackers can handle a victim’s device from remote through a command and control server,” said Michael Flossman, a security analyst at Lookout.

LookOut’s team found an app called Soniac available on Google Play, which appeared to be a harmless version of Telegram messaging app but it also included malicious mechanisms. When an infected app is installed on a device, the cybercriminal behind the scheme immediately receives considerable control over it.

The most current example of SonicSpy noticed on the Play Store was named Soniac and was sold as a messaging app. While Soniac does give this functionality through a customized version of the communications app Telegram, it also includes malicious abilities that provide an intruder with significant control over a target device.

When installed, SonicSpy removes its launcher image and hides so that the victim is unable to realize that the device has been infected. Then it creates a connection to its C&C server and installs a customized version of Telegram app, which is titled su.apk and stored in the res/raw directory.





Upon the first install, SonicSpy will eliminate its launcher icon to hide from the victim, authorize a connection to the C2 infrastructure arshad93.ddns[.]net:2222, and try to install its own custom version of Telegram that is saved in the res/raw directory and titled su.apk.


SpyNote uses customized desktop applications to inject malware into an app so that the victim can use the original functions of the infected app. It is also evident from the steady stream of SonicSpy apps that the threat actors are using similar automate-build process. Currently, researchers are not aware of the desktop tooling of the malware.

“It’s clear that the malicious actors behind SonicSpy desired the app to persist on the victim’s device, so they performed surely to incorporate the functionality that the end user was expecting.”

It is clear that threat actors are now capable of launching spyware in official app store applications

No comments

Google