SonicSpy: Iraqi spyware observed in wild. Developer planted 1000+ apps on official Google Play Store

SonicSpy: 1000+ Spyware hosted by Iraqi developer on Play Store, Official Google App Store. Able to click photos, record audit etc. Remotely.

SonicSpy Spyware

Android malware “SonicSpy” has been spotted in wild on the Official Google Play Store. Researchers reported 1000+ apps being hosted by the same “Iraqi” Developer. It has been aggressively deployed on Play Store since Feb 2017.


Things to Know About SonicSpy

SonicSpy, The android malware was providing surface to its developer to steal various sensitive user information such as call logs, reading about Wifi Access points, contacts etc. It was also helping intruder to remotely perform various spy operations such as Making outbound calls, Send Text Messages, Silently Recording Audio by enabling Microphone etc.

How does SonicSpy works?

SonicSpy uses Command and Control mechanism to take over victim’s android phone. Google Bouncer, The Official Google Play Service was failed to detect these spywares. SonicSpy malware family support more than 60 different remote instructions responsible for performing various spy activities like enabling camera, taking picture, recording audio etc.

Forenzy's Android Incident Response Team has done detailed analysis on "SonicSpy" Android Spyware. The facts and analysis are as per following:

1. Analysis of package "sys.arshad.sys" (One of the App with "SonicSpy" Spyware)

Permissions required by Malicious App "sys.arshad.sys"

2. The developer signature and C&C (Command and Control) URL was observed to arshad93.ddns[dot]net. The port used to spawn the shell was observed to 2222. The attacker seems to be using Dynamic DNS services to constantly change IP of C&C server.

Following analysis shows use of Dynamic DNS services to load C&C instructions

While doing dynamic analysis, it was asking for various sensitive permissions shown below. It contains permissions like “Modifying Shortcuts”, “Send SMS”, “Make Calls” etc.

How to protect against SonicSpy?


Google has removed all malicious apps which were owned by “SonicSpy” developer. In order to be safe against these attacks, be careful while downloading apps. Don’t install apps from third-party websites except Play Store, The Official Google’s App Store . Run malware scans regularly on your android phones. For any further query, feel free to reach us via our contact-us page.