Android malware Lipizzan could spy on users' every move - until Google shut it down

Android being targeted by malware crafted by cyber arms merchants, warns Google

Google has discovered a new form of Android malware, called Lipizzan, that can record phone calls, monitor the device's location, retrieve data from popular apps and even make recordings from the device's microphone.

Google claimed that the spyware is linked to Israeli cyber arms company Equus Technologies.

Google found the Android spyware as part of its investigation into the Chrysaor targeted spyware, which was believed to have been written by another cyber arms company, NSO Group.

Google Play Protect detected Lipizzan in 20 different apps that had been distributed in a targeted fashion to fewer than 100 devices.

The first part of the two-stage spyware tool was what seemed like an innocuous-sounding app, such as ‘Backup' or ‘Cleaner', on the Google Play store and several other channels.

Once installed, the app would download and load a second ‘licence verification' stage, which would survey the infected device and validate certain abort criteria.

Then, if it is given the all-clear, the second stage would root the device with known exploits and begin to exfiltrate device data to a command and control server.

The second stage was capable of performing and exfiltrating the results of:

  • Call recording;
  • VoIP recording;
  • Recording from the device microphone;
  • Location monitoring, taking screenshots;
  • Taking photos with the device camera(s);
  • Fetching device information and files; and,
  • Fetching user-information, such as contacts, call logs and text messages.

The spyware could also retrieve data from the likes of Gmail, LinkedIn, Messenger, Skype, Snapchat, Viber and WhatsApp.

Google said it had blocked the developers and apps from the Android ecosystem. It said that Google Play Protect had notified all affected devices and removed the Lipizzan apps.

Google advised users to ensure they're opted into Google Play Protect, that they only use the Google Play store to download apps, keep ‘unknown sources' disabled when not in use, and keep their device patched to the latest Android security update.

The Computing Cloud & Infrastructure Summit returns on Wednesday 20 September at the Hilton London Tower Bridge. Hear the latest Computing research, case studies from industry pioneers, and pose your questions to our expert CIO panellists. Attendance is free to qualifying IT leaders and senior IT professionals, but places are strictly limited, so register now