SonicSpy malware sneaks into Google Play Store

By JC Torres/Aug. 14, 2017 5:51 am EST

There are pros and cons to the way Apple screens apps that go into its App Store and the way Google prefers to rely on automation to preserve the quality and security of Android apps. The latter methods is more efficient and more open to the hundreds of apps submitted to the Google Play Store. Unfortunately, that does mean that some less than innocent apps do slip in through the cracks. Case in point is a family of spyware collectively named "SonicSpy", which was able to bypass Google's automated bouncer, allowing infected apps to join the Google Play Store list, potentially infecting unsuspected Android users.

The way SonicSpy works seems pretty straightforward, so it's both amazing and worrying that it got through Google's defenses. One example of such an app that almost got away was Soniac, which presented itself as a "Telegram Plus" chat app. The "Plus" here being the spyware it unloads.

After it has been installed by the unfortunate user, SonicSpy itself removes visible traces from the phone by hiding its launcher icon. It then establishes a hidden connection with a remote C2 server and then installs a modified version of the app that is supposedly installed in the first place. After that, the user's information is fair game to whoever distributed the infected app. SonicSpy malware is known to support 73 remote functions and is able to record audio, take photos, make calls, send messages, and more.

SonicSpy, however, isn't that unique nor is it even discreet. Lookout security researchers speculate that it might actually be related to a 2016 spyware named SpyNote. It might even be written by the same author, considering how similar they are. In that case, it's quite worrying that SonicSpy is able to get past Google Play Store's screening mechanism in the first place.

The situation, which also isn't unique, doesn't exactly inspire confidence in Google's security measures. It's one thing to see malware in third-party sources and APKs floating around the Internet, it's another to be infected by an app on Google Play Store. Google reportedly already took down one such app after Lookout reported the matter, and its machine learning system might have just gotten smarter because of it. Hopefully, however, next time it won't be too late before Google is able to more effectively weed out malware carriers.

SOURCE: Lookout