A recently discovered spyware family believed to have originated in Iraq is infecting more than 1,000 Android apps, including some available for download from the Google Play store.

Dubbed “SonicSpy,” the spyware can record calls and audio, take photos, make calls, send text messages, monitor calls logs and contacts and monitor information about Wi-Fi access points. According to researchers at Lookout Inc., the overall SonicSpy family supports 73 different remote instructions, giving the alleged hacker behind it multiple attack opportunities.

The spyware is being distributed by primarily pretending to be a messaging app — and it actually delivers a messaging service. But at the same time, it steals information from a victim’s Android device. Three versions of the SonicSpy-infected messaging app were discovered in the Google Play Store and have since been removed: Soniac, Hulk Messenger and Troy Chat. But the same apps are still widely available on third-party app stores along with other SonicSpy-infected apps.

The alleged Iraq connection to the spyware stems from similarities between SonicSpy and SpyNote, Android malware that was masquerading as a Netflix app in 2016, which is also believed to have been written by an Iraqi hacker. “There are many indicators that suggest the same actor is behind the development of both,” Lookout Security Research Services Tech Lead Michael Flossman wrote. “For example, both families share code similarities, regularly make use of dynamic DNS services, and run on the non-standard 2222 port.”

The more obvious giveaway, however, is the name of the account that was used to distribute the apps on the Google Play store: “iraqiwebservice.”

Flossman warned that although these apps have been removed from Google Play for now, Android users should remain wary because it’s likely SonicSpy will reappear. “The actors behind this family have shown that they’re capable of getting their spyware into the official app store and as it’s actively being developed, and its build process is automated, it’s likely that SonicSpy will surface again in the future,” he added.

Photo: Anthony Quintano/Wikimedia Commons