This Android spyware can record calls, take screenshots and video, targets Gmail, LinkedIn, Snapchat data

CERT-LatestNews Malware Security News ThreatsCybercrime ThreatsStrategic Uncategorized

horse.jpgAbramova_Kseniya, Getty Images/iStockphoto

A new form powerful spyware designed to compromise specifically-targeted Android devices and spy on everything from communications to location has been uncovered – and blocked – by cybersecurity researchers at Google.

Named Lipizzan – after a breed of horse – the spy malware monitors and steals information about the target’s emails, texts and other messages, exfiltrate information about contacts, listens in and records calls, can take screenshots and record audio and video and monitors the location of the user.

Google said the app also had routines to retrieve data from apps including:

  • Gmail
  • Hangouts
  • KakaoTalk
  • LinkedIn
  • Messenger
  • Skype
  • Snapchat
  • StockEmail
  • Telegram
  • Threema
  • Viber
  • Whatsapp

Fewer than 100 devices have been found to be infected with Lipizzan, but the nature of the malware – much like Chrysaor Android spyware before it – suggests it was being used on a specific set of individuals. Chrysaor was an Android version of the Pegasus mobile spyware used by a nation state to monitor iPhones belonging to activists in the Middle East

However, while Google – which has published the findings in a blog and gave a presentation on it at Black Hat in Legas Vegas – hasn’t detailed who has been targeted by Lipizzan or who might be using its service, threat researchers said they have found references in the code to Equus Technologies, which is described as a “cyber arms company”.

Described as a “sophisticated two stage spyware tool” Lipizzan is distributed through a number of channels, including the official Google Play Store, disguised as basic apps such as backups or cleaners which disguised the malicious intent hidden within. In total, about 20 different apps were designed to deliver the malware.

The malicious apps were able to bypass Google Play protection features because compromise didn’t occur until the app was downloaded onto the device.

However, upon installation, Lipizzan downloads and loads a second “licence verification” which inspects the device before rooting it and connecting to a command-and-control server which is used to exfiltrate data about communications and calls.

Google blocked the first set of Lipizzan apps, but even then new versions were uploaded within a week of the takedown; this time designed to look like apps including notepads, sound recorders and alarm managers. Researchers suggest this shows the authors have a method of easily changing the branding of the implant apps.

These new versions of the apps also changed the delivery of the malware from downloading an unencrypted version of stage 2 to encrypting it deep within the app. Stage 2 would only run if specifically instructed to run a Advanced Encryption Standard key to unlock the package.

However, despite the changes, Google was once again able to catch the apps and remove them from the store “soon” after they were uploaded. Google says its Google Play Protect feature actively blocks new installs of Lipizzan on devices.

Google keeps the vast majority of its 1.4 billion Android users safe from malware, but malicious apps still get through.

But while this spyware only affects a tiny fraction of Android devices – 0.000007% – and it remains unclear who was targeted by Equus and how they were convinced to download the apps, Google has issued advice on protecting against Lipizzan and other malware.

Users are told to opt into Google Play Protect and to download apps exclusively from the Google Play Store because “the chance you will install a PHA [potentially harmful app] is much lower on Google Play than using other install mechanisms”. Android users are also urged to keep their phone patched with the latest version of the operating system.