The Hacker News — Cyber Security, Hacking, Technology News

If you think you are downloading apps from Google Play Store and you are secure, then watch out!

Someone has managed to flood third-party app stores and Google Play Store with more than a thousand malicious apps, which can monitor almost anything a user does on their mobile device from silently recording calls to make outbound calls without the user’s interaction.

Dubbed SonicSpy, the spyware has been spreading aggressively across Android app stores since at least February and is being distributed by pretending itself to be a messaging app—and it actually offers a messaging service.

SonicSpy Can Perform a Whole Lots of Malicious Tasks

At the same time, the SonicSpy spyware apps perform various malicious tasks, including silently recording calls and audio from the microphone, hijacking the device's camera and snap photos, making outbound calls without the user's permission, and sending text messages to numbers chosen by the attacker.

Besides this, the SonicSpy spyware also steals user information including call logs, contacts and information about Wi-Fi access point the infected device has connected to, which could easily be used to track the user's location.

The spyware was discovered by security researchers at mobile security firm Lookout. The researchers also uncovered three versions of the SonicSpy-infected messaging app in the official Google Play Store, which had been downloaded thousands of times.
Although the apps in question—Soniac, Hulk Messenger and Troy Chat—have since been removed by Google from the Play Store, they are still widely available in third-party app stores along with other SonicSpy-infected apps.

Iraq Connection to the SonicSpy Spyware

The researchers believe the malware is related to a developer based in Iraq and say the overall SonicSpy malware family supports 73 different remote instructions that its attacker could execute on an infected Android device.

The connection of Iraq to the spyware stems from similarities between SonicSpy and SpyNote, another Android malware that was discovered in July 2016, which was masquerading as a Netflix app and was believed to have been written by an Iraqi hacker.

"There are many indicators that suggest the same actor is behind the development of both. For example, both families share code similarities, regularly make use of dynamic DNS services, and run on the non-standard 2222 port," says Lookout Security Research Services Technology Lead Michael Flossman.

Also, the important indicator is the name of the developer account behind Soniac, listed on the Google Play store, was "iraqiwebservice."

Here's How the SonicSpy Spyware Works

One of the SonicSpy-infected messaging apps that made it through Google's Play Store masqueraded as a communications tool called Soniac.

Once installed, Soniac removes its launcher icon from the smartphone menu to hide itself from the victim and connects to a command and control (C&C) server in an attempt to install a modified version of the Telegram app.

However, the app actually includes many malicious features which allowed the attackers to gain almost full control of the infected device and turn it a spy in your pocket that could silently record audio, make calls, take photos, and pilfer your personal data, including call logs, contacts and details about Wi-Fi access points.

Before being removed by Google, the app had already been downloaded between 1,000 and 5,000 times, but since it was part of a family of 1,000 variants, the malware could have infected many thousands more.

SonicSpy Could Get Into Play Store Again

Although SonicSpy-infected apps have now been removed from the Play Store, the researchers warned that the malware could potentially get into the Play Store again with another developer account and different app interface.

"The actors behind this family have shown that they're capable of getting their spyware into the official app store and as it's actively being developed, and its build process is automated, it's likely that SonicSpy will surface again in the future," the researchers warned.

While Google has taken many security measures to prevent malicious apps from making through Google's security checks, malicious apps still make their ways into the Play Store.

Just last month, we warned you about a clever malware, called Xavier, that was discovered in over 800 different Android apps that had been downloaded millions of times from Google Play Store and silently collected sensitive user data and can perform dangerous tasks.

In April, we reported about the BankBot banking trojan making its way to Google Play Store with the ability to get administrator privileges on infected devices and perform a broad range of malicious tasks, including stealing victim's bank logins.

In the same month, about 2 Million Android users fell victim to the FalseGuide malware hidden in more than 40 apps for popular mobile games, such as Pokémon Go and FIFA Mobile, on the official Google Play Store.

How to Protect yourself against such Malware

The easiest way to prevent yourself from being targeted by such clever malware, always beware of fishy apps, even when downloading them from official Google Play Store and try to stick to the trusted brands only.

Moreover, always look at the reviews left by users who have downloaded the app and verify app permissions before installing any app even from the official app stores and grant those permissions that are relevant for the app's purpose.

Also, do not download apps from third party source. Although in this case, the app is also being distributed through the official Play Store, most often victims became infected with such malware via untrusted third-party app stores.

Last but not the least, you are strongly advised to always keep good antivirus software on your device that can detect and block such malware before they infect your device, and keep your device and apps up-to-date.

We just cannot imagine our lives without smartphones, even for a short while, and NSA whistleblower Edward Snowden had not owned a smartphone since 2013 when he began leaking NSA documents that exposed the government's global surveillance program.

Snowden fears that cellular signals of the smartphone could be used to locate him, but now, to combat this, he has designed an iPhone case that would detect and fight against government snooping.

With help from renowned hardware hacker Andrew "Bunnie" Huang, Snowden has devised the design, which they refer to as an "Introspection Engine," that would keep journalists, activists, and human rights workers from being tracked by their own devices leaking their location details.

"This work aims to give journalists the tools to know when their smartphones are tracking or disclosing their location when the devices are supposed to be in airplane mode," Huang and Snowden wrote in a blog post published Thursday. "We propose to accomplish this via direct introspection of signals controlling the phone’s radio hardware."

For now, the design is aimed only at iPhone 6 models, but the duo hopes to create specifications for a large number of devices.

Snowden, together with Huang, presented on Thursday at the MIT Media Lab the design for a case-like add-on device that could modify an iPhone, allowing you to monitor various radio signals inside the phone to confirm they're not transmitting data when they’re meant to be off.

Here’s How the Introspection Engine Works:

Once built, the hardware case will be a separate minicomputer - work independent from your phone - made up entirely of open source hardware, containing its own battery and a small mono-color screen to provide a real-time status of your phone.

The case will have tiny probe wires to attach to a modified iPhone that physically wires into the phone’s antennas used by its radios, including cellular connectivity, GPS, Bluetooth, and Wi-Fi, through the SIM card slot.

The Introspection Engine will then be able to monitor radio transmissions and alert users to any unauthorized output signals it isn't supposed to.

In addition to alerting users, the case will even be able to shut down all radio signals on a phone to prevent governments as well as hackers from finding your location.

Since this case is designed to be independent of your phone, it would prevent your device from malware that activates radios without your knowledge.

"Malware packages, peddled by hackers at a price accessible to private individuals, can activate radios without any indication from the user interface," the duo wrote. "Trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive."

Instead, Snowden and Huang suggest the beauty of using external hardware as a shield is that it would not be affected if malware has infected your phone. "The core principle is simple: if the reporter expects radios to be off, alert the user when they are turned on," they added.

The Introspection Engine’s mission is to warn users when malware or technical glitches are causing your phone to rat out your location.

However, the hardware case is still nothing more than a design for now.

Supported by the Freedom of the Press Foundation, Snowden and Huang are hoping to build a real-world prototype device over the next year in the hopes of making the case available to journalists as soon as possible.

"DRT has developed a device that emulates a cellular base station to attract cell phones for a registration process even when they are not in use," Boeing said in a 2010 filing [PDF].

How to become a Professional Hacker? This is one of the most frequently asked queries we came across on a daily basis. Do you also want to learn real-world hacking techniques but don’t know where [...]