A new form of spyware, designed to compromise specifically-targeted Android devices and monitor details from the phone's communications to its location, has been uncovered -- and blocked -- by cybersecurity researchers at Google.
Named Lipizzan -- after a breed of horse -- the malware monitors and steals information about the target's emails, texts, and other messages, exfiltrates information about contacts, listens in and records calls, can take screenshots and record audio and video, and monitors the location of the user.
Described as a "sophisticated two-stage spyware tool", Lipizzan is distributed through a number of channels, including the official Google Play Store, where it can be disguised as a basic app such as a backup or cleaning tool, hiding the malicious nature of the software. In total, about 20 different apps were designed to deliver the malware.
The malicious apps were able to bypass Google Play protection features because the compromise doesn't occur until the app is downloaded onto the device.
However, upon installation, Lipizzan downloads and loads a second "licence verification" which inspects the device. It's then rooted and connected to a command-and-control server, which is used to exfiltrate data about communications and calls on the phone.
Google blocked the first set of Lipizzan apps, but new versions were uploaded within a week of the takedown. This time, the apps were designed to look like notepads, sound recorders, and alarm managers. Researchers suggest this shows the authors have a method of easily changing the branding of the implant apps.
This new wave of the apps also changed the delivery of the malware from downloading an unencrypted version of stage two to encrypting it deep within the app. Stage two would only run if specifically instructed to run a Advanced Encryption Standard key to unlock the package.
However, despite the changes, Google was once again able to catch the apps and remove them from the store "soon" after they were uploaded. Google says its Google Play Protect feature actively blocks new installs of Lipizzan on devices.
But while this spyware only affected a tiny fraction of Android devices -- 0.000007 percent -- and it remains unclear who was targeted by Equus and how they were convinced to download the apps, Google has issued advice on protecting against Lipizzan and other malware.
Users are told to opt into Google Play Protect and to download apps exclusively from the Google Play Store because "the chance you will install a PHA [potentially harmful app] is much lower on Google Play than using other install mechanisms". Android users are also urged to keep their phone patched with the latest version of the operating system.