A new form of spyware, designed to compromise specifically-targeted Android devices and monitor details from the phone's communications to its location, has been uncovered -- and blocked -- by cybersecurity researchers at Google.
Named Lipizzan -- after a breed of horse -- the malware monitors and steals information about the target's emails, texts, and other messages, exfiltrates information about contacts, listens in and records calls, can take screenshots and record audio and video, and monitors the location of the user.
Google said the app also has routines to retrieve data from apps, including:
Fewer than 100 devices have been found to be infected with Lipizzan, but the nature of the malware -- much like Chrysaor Android spyware before it -- suggests it was being used on a specific set of individuals. Chrysaor was an Android version of the Pegasus mobile spyware used by a nation state to monitor iPhones belonging to activists in the Middle East.
However, while Google -- which has published details about Lipizzan in a blog and gave a presentation on it at Black Hat in Legas Vegas -- hasn't detailed who has been targeted by Lipizzan or who might be behind it, threat researchers said they have found references in the code to Equus Technologies, which is described as a "cyber arms company".
Described as a "sophisticated two-stage spyware tool", Lipizzan is distributed through a number of channels, including the official Google Play Store, where it can be disguised as a basic app such as a backup or cleaning tool, hiding the malicious nature of the software. In total, about 20 different apps were designed to deliver the malware.
The malicious apps were able to bypass Google Play protection features because the compromise doesn't occur until the app is downloaded onto the device.
However, upon installation, Lipizzan downloads and loads a second "licence verification" which inspects the device. It's then rooted and connected to a command-and-control server, which is used to exfiltrate data about communications and calls on the phone.
Google blocked the first set of Lipizzan apps, but new versions were uploaded within a week of the takedown. This time, the apps were designed to look like notepads, sound recorders, and alarm managers. Researchers suggest this shows the authors have a method of easily changing the branding of the implant apps.
This new wave of the apps also changed the delivery of the malware from downloading an unencrypted version of stage two to encrypting it deep within the app. Stage two would only run if specifically instructed to run a Advanced Encryption Standard key to unlock the package.
However, despite the changes, Google was once again able to catch the apps and remove them from the store "soon" after they were uploaded. Google says its Google Play Protect feature actively blocks new installs of Lipizzan on devices.
Google keeps the vast majority of its 1.4 billion Android users safe from malware, but malicious apps still get through.
But while this spyware only affected a tiny fraction of Android devices -- 0.000007 percent -- and it remains unclear who was targeted by Equus and how they were convinced to download the apps, Google has issued advice on protecting against Lipizzan and other malware.
Users are told to opt into Google Play Protect and to download apps exclusively from the Google Play Store because "the chance you will install a PHA [potentially harmful app] is much lower on Google Play than using other install mechanisms". Android users are also urged to keep their phone patched with the latest version of the operating system.
READ MORE ON CYBERCRIME
- Can Google win its battle with Android malware?
- Cyberwar: The smart person's guide [TechRepublic]
- Cybercrime Inc: How hacking gangs are modeling themselves on big business
- Russian Android malware tracked Ukrainian military: Report [CNET]
- Trident iOS flaws: Researchers detail how the spyware stayed hidden