Chat apps laced with spyware removed from Google Play

Researchers have found thousands of Android apps containing malware that turns a phone into fully-fledged tool for spying on targets. 

Two of the malicious chat apps, Hulk Messenger and Troy Chat, were recently removed from Google’s Play Store though it’s not clear whether Google booted them or the developer took them down. 

Google also removed another app, Soniac, which contained the same malware that security firm Lookout calls SonicSpy, which has been injected into several hundred  Android apps that have been aggressively promoted by developer since February. 

According to Lookout, SonicSpy apps can record audio, take photos with the camera, make calls, and send text messages to numbers chosen by the attacker. It also leaks call logs, contacts, and wi-fi access point information to the attacker. 

The trojan apps do offer messaging functionality via a custom version of privacy-focused messaging app Telegram that's been rigged with concealed spying capabilities. It's functioning chat features may help explain why Soniac was downloaded by as many as 5,000 Play Store users.   

Once installed, the malicious app removes its icon to ensure it goes unnoticed by the target and difficult to remove. The malware then connects to the attacker’s domain and attempts to install the custom version of Telegram. 

The SonicSpy malware is apparently similar to malware called SpyNote, which researchers at Palo Alto Networks discovered last year after a desktop-based Android spyware builder kit was distributed on hacker forums. 

The builder allowed anyone to create new variants of SpyNote with similar spying capabilities to SonicSpy. SpyNote-laced apps however were not distributed on Google's Play Store, marking a key difference. Generally it's safe to download apps from Google's official app store, which presents many more obstacles for distributing malware than third-party Android app stores.   

Lookout researchers believe the same person is behind the development of SpyNote and SonicSpy due shared design features.   

“In the case of SpyNote, the attacker used a custom-built desktop application to inject malicious code into specific apps so that a victim could still interact with the legitimate functionality of the trojanized apps,” writes Lookout’s Michael Flossman. 

“Due to the steady stream of SonicSpy apps it seems likely that the actors behind it are using a similar automated-build process, however their desktop tooling has not been recovered at this point in time.”

Just before the February uptick in SonicSpy distribution efforts, security firm ZScaler earlier discovered 120 fake versions of popular Android apps, such as WhatsApp, Netflix, and Facebook, that had been rigged with SpyNote.