Over 1,000 spyware apps, that can monitor almost everything, have been found on various Android app stores, including Google Play. The spyware samples belong to the SonicSpy malware family, which security experts say, was developed by hacker(s) in Iraq. Security experts say that hackers have been "aggressively" pushing SonicSpy samples since February 2017.
SonicSpy comes with a wide range of capabilities and can be used to remotely execute 73 different kinds of commands. The spyware can surreptitiously take photos, record audio, make calls, and send text messages to numbers specified by hackers. SonicSpy can also steal data such as contacts, call logs, Wi-Fi access information.
According to security experts at Lookout, SonicSpy was detected after three samples, disguised as messaging services called soniac, hulk messenger and troy chat, were uncovered by the researchers on Google Play. Although Google has already removed the three malicious apps from Google Play, the apps had already been downloaded by users before they were removed. ZDNet reported that before it was removed, soniac had been downloaded between 1,000 to 5,000 times.
SonicSpy allows hackers to hijack infected devices and communicates directly with the attackers' command and control servers. It is still unclear if the hackers are going after specific targets or are merely looking to gain data from the many victims who downloaded the spyware infected apps.
Researchers also said that numerous other versions of the spyware continue to be available on various third-party Android apps. The spyware samples flooding Android apps also contained several similarities with yet another malware family called SpyNote. Lookout researchers believe that SonicSpy and SpyNote, which share similar code, may have been created by the same Iraqi hackers.
Although Google has removed SonicSpy from Google Play, researchers warn that it could make a comeback. "The actors behind this family have shown that they're capable of getting their spyware into the official app store and as it's actively being developed, and its build process is automated, it's likely that SonicSpy will surface again in the future," said Michael Flossman, security research services tech lead at Lookout.