Image Reference:

Android malware is not something I typically perform forensic analysis on, but this one caught my eye. This caught my eye mainly because it was in a threat actor database directory that GuidePoint Security’s (GPS) Digital Forensic and Incident Response (DFIR) team has been watching, and also because it is the first sample of Android malware I have seen posted on this particular threat actors database.

Knowing this threat actor has had some recent successes, I thought I should take a look at this Android malware and give it the ole’ forensic once-over. I’m glad I did.

Considering Google is fighting a massive Android malware outbreak [1], and 99% of all mobile malware is Android malware[2], this would be a good way to “enter” into a targeted environment and start to move laterally.  But wait until you see what this Android Remote Access Trojan (RAT) can do.

GPS DFIR teams perform forensic analysis of malware in an effort to provide OSINT and our customers real, actionable and valid forensic IOCs (e.g., Hash values, IPv4, etc.).  It is these IOCs that allow our customers the ability to “plug” them into security devices for action, detection and prevention.


Because of ongoing threat investigations that I will not disclose in this analysis, I have labeled this Android malware “Ludo Coins” RAT.  Yes, I believe there could be a direct correlation to and, among other things, this RAT could be used to capitalize on the Ludo Coins business model for cash.


GPS DFIR harvested this sample directly from the threat actor’s database server and was subsequently analyzed in the GPS forensic malware analysis lab.

Overall impression of this RAT is that it has a good overall design and will capture and control all major components and features of your Android mobile device.  The reader should be quite aware that after installation the victimized user will have no control over that mobile device.

Sample Analyzed

MD5:   ee7fba3487165f00533e4fd90bca531f
SHA256:    7eb6a65a7d9ee2bfc9b8df6442cfa2c76f4753663297d2dabafc023b1bd2370b

Analysis Platform

Android x86 5.1 (“Android 4”)

Analysis Summary

Overall, this RAT has very little visual clues that it has been installed.  Remember, this is a RAT and it will allow a remote threat actor full control of your Android device.

It does have the ability to change the wallpaper so the threat actor can change ( if they so wish.

Test Image 1: Android Screen Capture

During testing, I also noted the RAT can access the Android keyguard (lock screen) and allow the remote threat actor to query the phone’s “GPS” location.

The RAT also performs anti-forensic activities once it is initialized:

  • Deletes call logs/history
  • Deletes other (installed) packages (platform dependent)
  • Kills background processes
  • Obfuscates method names

After deployment/installation, the RAT has the capability of performing a variety of command level functions – remotely:

  • Dials phone numbers and sends SMS (SmsManager) in the background
  • Monitors, redirects and/or block calls
  • Records audio (while running in the background)
  • Takes photos
  • Records any audio/media running on the Android device

The RAT also has specific remote access functionality:

  • Uses Download Manager to fetch additional RAT components
  • Redirects camera/video feed
  • Reads call logs & browser history
  • Monitors incoming & outgoing phone calls and SMS messages
  • Conducts remote query
    • Query list of installed applications
    • Camera Information
    • Stored mail
    • Phone contact information
  • Queries the SIM provider ISO country code
  • Queries the network operator ISO country code
  • Queries device unique ID (e.g., IMEI, MEID, etc.)


This RAT has the ability to spread throughout a WiFi environment after initial installation.  It can change the (local) WiFi settings in which it can chose to connect and disconnect from selected WiFi networks.  It can also scan access points for available WiFi networks.

Remember, once it conducts these activities it will transmit the information back to the threat actor and with a reasonable level of effort the threat actor will be able to plot your general geographical location and have knowledge of your WiFi preferences and access.


Overall, if this Android malware (SonicSpy) infects an Android device, the user will have few visual indications that they have been infected and unless the network IOCs are being monitored, there will be little evidence of an infection.

In my opinion, if an Android device has been infected with SonicSpy, it will command root level access, remain persistent, and make other malicious changes to your mobile device. About the only safe thing you can do at that point is to take a hammer to the Android device and physically destroy it.

At least after you destroy your Android you can buy an iPhone and not worry about being infected with SonicSpy or any Android variant.

SonicSpy IOCs

File name:   SonicSpy.apk

File size:   840735
MD5:   ee7fba3487165f00533e4fd90bca531f
SHA256:   7eb6a65a7d9ee2bfc9b8df6442cfa2c76f4753663297d2dabafc023b1bd2370b



Port: 5228 (sample tested seems to always want to connect to CnC to this outbound port)




Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.