Google’s Android Security has found and blocked a series of targeted spyware apps, part of the Lipizzan malware family, believed to have been developed for cyber espionage. Although the apps seemed to have a benign behavior at first, a second malicious payload would be downloaded once the device matched certain criteria.
Both the benign and the malicious component seem to have been developed by the same company, Equus Technologies, as security researchers concluded the stage two payload had the same signing certificate as the stage one application. Uploading the applications with names such as “Backup” or “Cleaner”, the applications would seem perfectly legitimate until the malicious payload is downloaded.
“Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media,” reads the security blog post. “We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.”
To exfiltrate data, the second stage of Lipizzan would root the device using known exploits, then start retrieving data from apps such as Gmail, Hangouts, KakaoTalk, LinkedIn, Messenger, Skype, Snapchat, StockEmail, Telegram, Threema, Viber and Whatsapp.
Once the found apps were banned from Google Play, new apps with similar behavior were submitted under different names ranging from “cleaner” and “notepad” to “sound recorder” and “alarm manager”. However, this time the malicious payload was bundled directly within the apps as an encrypted resource.
Despite this new attempt at re-submitting malicious apps, Google detected the scheme and blocked them once more, while at the same time notifying all affected devices.