August 10, 2017

Must Read for Enterprises Sending Employees Abroad: The SonicSpy Malware Family

SonicSpy app "Soniac"

Today, Lookout released information about a new spyware family called SonicSpy. Lookout Security Intelligence researchers discovered the spyware in Google Play and connected it to a known malicious actor potentially operating out of Iraq..

We have discovered over a thousand SonicSpy apps. Soniac, seen in the screenshot above, is one of the SonicSpy apps found live in the Google Play store. It marketed itself as a messaging app in order to trick people into downloading it. Google has since removed the app.

All Lookout customers are protected from this threat.

What SonicSpy does

SonicSpy is a classic spyware app. Our analysis found the malicious app can: silently record audio; take photos with the camera; make outbound calls; send text messages to attacker-specified numbers; and retrieve call logs, contacts, and information about Wi-Fi access points. In fact, the malware has the ability to respond to over 73 different remote commands, meaning attackers can manipulate a victim's device from afar through a command and control server.

Once successfully on the device, it provides the victim the advertised messaging functionality while simultaneously stealing data, building a false sense of trust with the victim.

Stealth data leakage via spyware a huge concern for enterprises

This kind of functionality should be highly concerning to any party accessing sensitive information through mobile devices, including enterprises.

Enterprises often send employees overseas for conferences, customer meetings, etc and while traveling, employees use messaging apps  to communicate with coworkers and family back home. Apps like SonicSpy capitalize on this by pretending to be trustworthy apps in well-known marketplaces.

It's clear that the malicious actor(s) behind SonicSpy wanted the app to persist on the victim's device, so they made sure to incorporate the functionality that the end user was expecting. This was achieved by incorporating and modifying the publicly available source code for the Telegram messenger app. Consequently, the victim would receive the expected messaging functionality, and therefore not suspect the malicious activity going on in the background.

Spoofing an encrypted communications app also shows the actor's interest in gathering sensitive information.

Spyware causes serious data compromise, which could put enterprise compliance at risk, leading to regulatory fines and loss of brand trust. Because the victim is not likely to discover the spyware on his own, enterprises must have visibility into a security event occurring on an employee's mobile device.

SonicSpy is an app-based threat on the Mobile Risk Matrix

This malware family falls into the "app-based" threat category on the Mobile Risk Matrix. This matrix is a tool enterprises can use to better understand how data can be compromised on mobile devices. App threats are specific apps  created to steal information, damage a device, or provide unauthorized remote access for the purposes of surveillance and monitoring of a target.

Using its massive dataset compiled from over 100 million devices, Lookout determined that 47 in 1,000 Android devices have encountered an app-based threat. Extrapolated out to the size of a typical enterprise, this could mean hundreds of mobile threats on mobile endpoints accessing corporate data.

It only takes one threat in an enterprise to cause significant damage. For example, many enterprises must comply with government or industry regulations that, when violated, could result in expensive fines. Without protection for mobile devices, enterprises are also unable to securely embrace employee productivity on mobile devices, which is necessary for multinational enterprises with employees traveling around the world.

Mobile devices are another endpoint through which enterprise data flows. An informed security strategy must include visibility into threats and risks to corporate data on mobile devices. Without protection on these endpoints, enterprises unnecessarily open themselves up to attack.

Authors

Michael Flossman

Head of Threat Intelligence

Michael is Head of Threat Intelligence at Lookout where he works on reverse engineering sophisticated mobile threats while tracking their evolution, the campaigns they are used in, and the actors behind them. He has hands-on experience in vulnerability research, incident response, security assessments, pen-testing, reverse engineering and the prototyping of automated analysis solutions. When not analysing malware there’s a good chance he’s off snowboarding, diving, or looking for flaws in popular mobile apps.

Threat Type
Spyware
Threat Type
Malware
Platform(s) Affected
Android
Discovered By
Lookout
Entry Type
Threat Summary
Platform(s) Affected
Spyware
Malware
Android
Lookout
Threat Summary

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell