Google this week released details of a sophisticated new family of spyware tools that the company recently blocked from its Play mobile app store after discovering the malware being used against some Android users.
Dubbed Lipizzan, the Android spyware appears to be developed by Equus Technologies, an Israeli startup that Google referred to as a 'cyber arms' seller in a blog post published Wednesday. In total, with the help of Google Play Protect, the Android security team has found Lipizzan spyware on 20 apps distributed in a targeted fashion to less than 100 Android devices.
Google has quickly blocked and removed all of those Lipizzan apps and the developers from its Android ecosystem, and Google Play Protect has notified all affected victims. Google has also enhanced its Google Play Protect app scanning features to detect and prevent Lipizzan and similar targeted spyware from being uploaded to the mobile app store.
Sophisticated Multi-Stage Spyware
Google described Lipizzan as a two-stage spyware tool designed to monitor and steal a victim's email and SMS messages, intercept voice calls and media and steal location data.
In the first stage, attackers distribute Lipizzan by typically impersonating it as an innocuous-looking legitimate app such as "Backup" or "Cleaner" through various Android app stores, including the official Play store. When a victim installed the software, the first stage Lipizzan components would then download a second separate data monitoring and theft component. The second component was designed to work only if it determined the device was safe for it to do so.
If given the all-clear, the second stage would then root the device with known exploits and begin to ex-filtrate device data to a command and control server
Gathers Data from Other Popular Apps
Lipizzan's second application component was capable of a wide range of malicious activities such as to record voice calls, record from a phone's microphone, monitor the victim's location, take screenshots and take photos from the device's camera.
It can also gather data from specific apps, undermining their encryption, which includes WhatsApp, Snapchat, Viber, Telegram, Facebook Messenger, LinkedIn, Gmail, Skype, Hangouts, and KakaoTalk.
The second Lipizzan application shared a common signing certificate with the first components showing that the same authors likely developed both. When Google managed to block the first set of Lipizzan applications from Google Play, the authors managed to quickly upload a new set of apps with the same capabilities but slightly different properties. Instead of impersonating backup applications for instance, the new malware mimicked other innocuous sounding applications such as a sound recorder app and an alarm manager. Despite such changes Google managed to detect and block the malware, the three members of Google's security team said.
Earlier this year, Google found and blocked a dangerous Android spyware, called Chrysaor, allegedly developed by NSO Group, which was being used in targeted attacks against activists and journalists in Israel, Georgia, Turkey, Mexico, the UAE and other countries. Like Lipizzan, Chrysaor was also used for targeted cyber-spying. The malware was discovered on what Google described as a few dozen Android devices.
Protect your Android device
- Android users are strongly recommended to follow these simple steps in order to protect themselves.
- Ensure that you have already opted into Google Play Protect.
- Download and install apps only from the official Play Store.
- Enable 'verify apps' feature from settings.
- Protect their devices with pin or password lock.
- Keep "unknown sources" disabled while not using it.
- Keep your device always up-to-date with the latest security patches.
No comments:
Post a Comment