Photo: Getty

Android users are facing new threats to their privacy with the recent discovery of over a thousand spyware apps on the loose. A security firm found that at least three of these apps—which are capable of covertly taking photos, recording audio, retrieving call logs, and more—were available for download on Google Play.


Google has removed the apps from its store, according to mobile security firm Lookout, but the search company did not respond to multiple press inquiries regarding how spyware is imperiling its customers’ security.

Google has touted relativistic success in combating trojans and apps featuring backdoors, however, announcing in March that only 0.05 percent of Android devices downloaded malicious apps from Google Play last year.


The spyware discovery was first published by Lookout this week. The firm, which presented a method for jailbreaking the Apple Watch at this year’s DEFCON, wrote that a threat actor based in Iraq was likely the culprit—the account responsible at least is called “iraqwebservice.”

“Belonging to the family ‘SonicSpy,’ these samples have been aggressively deployed since February 2017, with several making their way onto the Google Play Store,” Lookout research lead Michael Flossman writes. “Google removed at least one of the apps after Lookout alerted the company.” The spyware discovered on Google Play went by name “Soniac” and presented itself as a messaging app. It was determined to be a customized version of Telegraph, meaning it provided actual messaging capabilities.

Yet the spyware-infested app also gave the author significant control over the device once downloaded, including the ability to “silently record audio, take photos with the camera, make outbound calls, send text messages to attacker specified numbers, and retrieve information such as call logs, contacts and information about Wi-Fi access points.”



According to Lookout, the app was capable of executing up to 73 remote instructions. Users who downloaded Soniac likely forgot soon after, since after the first execution the Soniac icon disappears.


Although Google did remove Soniac, it’s unclear whether the company also removed two previous spyware apps which have been attributed to the same author: Hulk Messenger and Troy Chat, both of which contained the same SonicSpy capabilities.

“The actors behind this family have shown that they’re capable of getting their spyware into the official app store,” Flossman wrote, “and as it’s actively being developed, and its build process is automated, it’s likely that SonicSpy will surface again in the future.”


[Lookout]