Must read for enterprises sending employees abroad: The SonicSpy malware familyDownload Case Study
Today, Lookout released information about a new spyware family called SonicSpy. Lookout Security Intelligence researchers discovered the spyware in Google Play and connected it to a known malicious actor potentially operating out of Iraq.
We have discovered over a thousand SonicSpy apps. Soniac, seen in the screenshot above, is one of the SonicSpy apps found live in the Google Play store. It marketed itself as a messaging app in order to trick people into downloading it. Google has since removed the app.
All Lookout customers are protected from this threat.
What SonicSpy does
SonicSpy is a classic spyware app. Our analysis found the malicious app can: silently record audio; take photos with the camera; make outbound calls; send text messages to attacker-specified numbers; and retrieve call logs, contacts, and information about Wi-Fi access points. In fact, the malware has the ability to respond to over 73 different remote commands, meaning attackers can manipulate a victim's device from afar through a command and control server.
Once successfully on the device, it provides the victim the advertised messaging functionality while simultaneously stealing data, building a false sense of trust with the victim.
Stealth data leakage via spyware a huge concern for enterprises
This kind of functionality should be highly concerning to any party accessing sensitive information through mobile devices, including enterprises.
Enterprises often send employees overseas for conferences, customer meetings, etc and while traveling, employees use messaging apps to communicate with coworkers and family back home. Apps like SonicSpy capitalize on this by pretending to be trustworthy apps in well-known marketplaces.
It's clear that the malicious actor(s) behind SonicSpy wanted the app to persist on the victim's device, so they made sure to incorporate the functionality that the end user was expecting. This was achieved by incorporating and modifying the publicly available source code for the Telegram messenger app. Consequently, the victim would receive the expected messaging functionality, and therefore not suspect the malicious activity going on in the background.
Spoofing an encrypted communications app also shows the actor's interest in gathering sensitive information.
Spyware causes serious data compromise, which could put enterprise compliance at risk, leading to regulatory fines and loss of brand trust. Because the victim is not likely to discover the spyware on his own, enterprises must have visibility into a security event occurring on an employee's mobile device.
SonicSpy is an app-based threat on the Mobile Risk Matrix
This malware family falls into the "app-based" threat category on the Mobile Risk Matrix. This matrix is a tool enterprises can use to better understand how data can be compromised on mobile devices. App threats are specific apps created to steal information, damage a device, or provide unauthorized remote access for the purposes of surveillance and monitoring of a target.
Using its massive dataset compiled from over 100 million devices, Lookout determined that 47 in 1,000 Android devices have encountered an app-based threat. Extrapolated out to the size of a typical enterprise, this could mean hundreds of mobile threats on mobile endpoints accessing corporate data.
It only takes one threat in an enterprise to cause significant damage. For example, many enterprises must comply with government or industry regulations that, when violated, could result in expensive fines. Without protection for mobile devices, enterprises are also unable to securely embrace employee productivity on mobile devices, which is necessary for multinational enterprises with employees traveling around the world.
Mobile devices are another endpoint through which enterprise data flows. An informed security strategy must include visibility into threats and risks to corporate data on mobile devices. Without protection on these endpoints, enterprises unnecessarily open themselves up to attack.