Google uncovers dodgier spyware infecting phones
LAS VEGAS: Google’s Android Security team have uncovered a new dodgier, powerful Android spyware — named Lipizzan — which Google claims to be linked to Equus Technologies, an Israeli company.
According to its LinkedIn page, the company specialised “in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organisations.”
Google engineers discovered only a small number of cases where Lipizzan was deployed, and they intervened and removed the apps from victims’ devices using a new Android security feature called Google Play Protect.
In total, Google engineers discovered 20 apps infected with Lipizzan, found only on fewer than 100 devices. Some of these apps were available through the official Google Play Store.
The Lipizzan-infected apps managed to squeeze past Google’s security checks because the spyware used a classic trick for bypassing Google’s Bouncer security system, and that was by splitting malicious behaviour into a second-stage component.
First-stage Lipizzan apps came with legitimate code, which Google Bouncer did not flag as malicious. Once Lipizzan was on a user’s device it would download a second-stage component under the disguise of a “licence verification” step.
This second-stage component would scan the user’s device for certain data. If the phone passed certain checks, the second-stage component would root the user’s device using known exploit packages.
Google says that it detected two waves of apps infected with Lipizzan uploaded to the Play Store, and the second wave included technical modifications to the second-stage component’s modus operandi. This means Lippizan’s operators were aware that Google had detected their malware, and were actively developing ways to bypass Google’s security system.
It is unclear who was operating the malware, or the purpose for deploying it on the official Google Play Store.
Details on the spyware were presented at the Black Hat USA 2017 security conference here.
Google says that it detected two waves of apps infected with Lipizzan uploaded to the Play Store, and the second wave included technical modifications to the second-stage component’s modus operandi.