Soniac was one of the three apps found on Google Play, according to a blog post published Thursday by a researcher from mobile security firm Lookout. The app, which had from 1,000 to 5,000 downloads before Google removed it. Soniac had the ability to record audio, take phones, make calls, send text messages, and retrieve logs, contacts, and information about Wi-Fi access points. Google ejected the app after Lookout reported it as malicious. Two other apps—one called Hulk Messenger and the other Troy Chat—were also available in Play but were later removed. It’s not clear if the developer withdrew the apps or if Google expelled them after discovering their spying capabilities. The apps are all part of a malware family Lookout calls SonicSpy.
Once installed, SonicSpy apps remove their launcher icon to hide their presence and then establish a connection to the control server located on port 2222 of arshad93.ddns[.]net.
The researcher said SonicSpy has similarities to another malicious app family called SpyNote, which security firm Palo Alto Networks reported last year. The name of the developer account—iraqwebservice—and several traits found in the apps’ code suggest the developer is located in Iraq. Additionally, much of the domain infrastructure associated with SonicSpy has references to that country. The phrase “Iraqian Shield” appears constantly. Lookout is continuing to follow leads suggesting the developer is based in that part of the world.