Lipizzan Malware: Google Discovers, Blocks Malware That Could Spy On Android Users
A team of security researchers at Google discovered and blocked a new family of Android malware developed by a cyber arms company that may have its roots in state-sponsored spying efforts.
The malware—known as Lipizzan—contained references within its code to an Israeli tech firm called Equus Technologies, which offers “tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations.”
Read: Android Malware: Apps In Google Play Store Spread 'Judy' Adware Attack To Nearly 40 Million Phones
In the Android Developers Blog, Megan Ruthven of Android Security and Ken Bodzak and Neel Mehta of Google’s Threat Analysis Group detailed the malicious software, which they called a “multi-stage spyware product.”
The researchers found Lipizzan had the ability to monitor and steal communications from the device. The malware could hijack a user’s email, SMS messages, location information, voice calls and local media. It could also snap screenshots of the user’s device and hijack the camera to take pictures or record video.
When active, Lipizzan could steal data from a number of apps including Gmail, Google Hangouts, LinkedIn, Facebook Messenger, Skype, Snapchat, popular messaging platforms like WhatsApp and Viber and encrypted communications app Telegram.
Most troubling about Lipizzan was that it was found in apps on the Google Play Store disguised as legitimate apps. The malware was most often found in apps posing at popular utilities with names like “Backup” or “Cleaner.” A second wave of apps containing the malware posed as notepad, sound recorder, and alarm manager apps.
Read: Android Malware: CopyCat Attack Infects 14 Million, Roots 8 Million Devices
When a user would install one of the infected apps, the app would begin to download a “license verification” that would examine the device. If the handset met certain criteria, the second stage of Lipizzan would kick in and root the device while establishing a connection to the Command and Control server operated by malicious actors to send back files and recordings.
While the spyware was available to download through apps in the Google Play Store, Google reported very few instances in which infections were found. According to the company’s findings, fewer than 100 devices had the malicious apps installed on their devices. Google claimed that would make the infection rate only 0.000007 percent.
Lipizzan and the apps that contain it have been removed from the Google Play Store, and Google recommends users make use of Google Play Protect, a security suite for Android devices.
Google also advised users to download apps exclusively from the Google Play Store rather than from third-party app stores and to disable installations from unknown sources. The search giant also suggested keeping devices up to date with the most recent security patch.
While Google may have caught and eliminated Lipizzan, the company has run into a fair amount of malware slipping through the cracks of its Google Play Store. Earlier this year, an adware scheme managed to infect 40 million phones through Google’s official marketplace.
© Copyright IBTimes 2024. All rights reserved.