Researchers from mobile security firm Lookout say they found at least three Android apps on the Google Play Store that contained a form of advanced spyware they believe was created by an Iraqi developer.
Experts say the malware author modified a version of the official Telegram app, injected the spyware code, rebranded it, and uploaded the modified app on the Play Store.
In total, the crook uploaded the app three times on the Play Store under the names Soniac, Hulk Messenger, and Troy Chat. Only Soniac was active on Google's app store when researchers first spotted the spyware, as the other two apps were already taken down, most likely by the developer himself.
Researchers believe the same developer created both spyware families. They base their theory on the fact that both apps used dynamic DNS services that ran on the non-standard port of 2222, and both were decompiled, injected with the malicious code, and recompiled with the same desktop utility, possibly part of a custom automated build system.
On infected devices, SonicSpy supports 73 different malicious actions in the form of instructions it receives from a remote server. Below is a summary of the most intrusive ones:
Users get infected by installing the app and granting it the permissions it needs to perform all its abusive actions. The apps are very hard to spot because they include a fully-working chat application, giving victims no reason to suspect they were infected.