The spyware appears to be the product of a cyber arms group
Google has discovered powerful Android spyware, dubbed Lipizzan, which lurked behind infected apps and scanned infected devices for user data.
The spyware was able to bypass Google’s Bouncer security system by splitting into two stages. The fist stage comprises apps with legitimate code offering useful services such as data backup and software cleaning, which allowed then to squeeze past Google security checks.
Once downloaded by Android device users the innocuous apps would then download a second-stage component featuring malicious code, which escaped security checks by hiding under the guise of being a license verification process.
Once the victim;s device was infected with the malicious code, Lipizzan gained root privileges enabling it to perform a variety of spyware tasks, such as call recording, location monitoring, and taking screenshots.
Lipizzan Android spyware
Google’s security team identified the spyware and have subsequently blocked it’s access to the Android Play Store, and it appears that the search giant tackled the malware before it could spread too far.
“Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media,” explained researchers from Google’s Threat Analysis Group.
“We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.”
Google noted that while the source of the spyware has yet to be confirmed, signs point toward it originating from an Israeli cyber arms group called Equus Technologies.
The group describes itself as offering products and services for “law enforcement, intelligence agencies, and national security organisations”, which could suggest the Lipizzan spyware was a proof-of-concept attack created by the company rather than an all out spyware campaign.
It also signals that there are hackers and coders actively looking at ways to bypass Google;s security checks and systems.
Google’s bolstered Android security service, Google Play Protect aims to provide the means by which Android users can protect themselves from such cyber threats.