Malware researchers at Google have spotted a new strain of Android spyware dubbed Lipizzan that could exfiltrate any kind of data from mobile devices and use them as surveillance tools.
The Lipizzan spyware is a project developed by Israeli startup Equus Technologies.
How does Lipizzan work?
According to the analysis published by Google:
Getting on a target device
Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a “Backup” or “Cleaner” app. Upon installation, Lipizzan would download and load a second “license verification” stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.
Once implanted on a target device
The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:
- Call recording
- VOIP recording
- Recording from the device microphone
- Location monitoring
- Taking screenshots
- Taking photos with the device camera(s)
- Fetching device information and files
- Fetching user information (contacts, call logs, SMS, application-specific data)
The spyware is also able to collect data from specific apps, including WhatsApp, Snapchat, Viber, Telegram, Facebook Messenger, LinkedIn, Gmail, Skype, Hangouts, and KakaoTalk.
Google researchers have found at least 20 apps in Play Store which infected fewer than 100 Android smartphones in total, the company classified the infections as targeted attacks.
“We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.” states Google.
What can you do to protect yourself?
- Ensure you are opted into Google Play Protect.
- Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
- Keep “unknown sources” disabled while not using it.
- Keep your phone patched to the latest Android security update.