SonicSpy Android Spyware Found in Google Play

Security researchers have uncovered over 1,000 apps infected with SonicSpy (detected by Trend Micro as ANDROIDOS_GHOSTCLICKER.AXM), a spyware that can let attackers hijack the affected Android device. At least three versions of SonicSpy-embedded apps also made their way into Google Play, which have since been removed from the app store. 

SonicSpy was built on the source code of popular and legitimate messaging application Telegram, which was open-sourced to enable developers who want to customize their own messaging platforms. SonicSpy’s developer, however, added spyware and remote access functionalities into the apps and rebranded them with app names such as Soniac, Hulk Messenger, and Troy Chat. 

The amount of SonicSpy-infected apps churned out by the creator—reaching over 4,000—suggests that SonicSpy’s development was automated. Researchers also said the apps are being distributed via third-party app marketplaces as well as through SMiShing. Also known as SMS phishing, SMiShing is a type of phishing attack that uses socially engineered text messages to lure would-be victims into clicking a link or downloading malware. 

[From TrendLabs Security Intelligence Blog: Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More] 

SonicSpy sports 73 remote commands, some of which include:

  • Recording audio via the device’s microphone
  • Triggering the camera to take pictures
  • Make outbound calls and send text messages to an indicated number, such as premium text number services
  • Retrieve call logs, contact lists and Wi-Fi hotspots 

SonicSpy is just one of the many mobile device-hijacking malware in the Android platform. In July, GhostCtrl backdoor emerged, disguised as a gaming and messaging app. GhostCtrl does more than just record photos or audio—it can download and delete files, for instance, as well as run shell commands, reset passwords—and true to name—get the infected device play different sound effects. 

There’s also MilkyDoor that masqueraded as recreational apps, one of which had installs between 500,000 and a million on Google Play. Trend Micro’s analysis indicated MilkyDoor seemed to have been coded to breach enterprise networks and private servers. 

[Infographic: How can you make your Bring Your Own Device environment Safe?] 

Indeed, as the adoption of the mobile platform become more ubiquitous, the threats that come with it will also increase in diversity, scale, and scope. End users must strengthen their posture against these threats, especially if they are used to access and handle company networks and data. Follow best practices for mobile safety, and ensure that your BYOD program implement robust security and privacy policies.

Trend Micro Solutions

End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ (available on Google Play).  Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites. 


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Veröffentlicht in Mobile Safety, Android