Security researchers over at Google have recently discovered a new type of Android spyware dubbed "Lipizzan," which the company believes is linked to Equus Technologies, a cyber arms firm.
Google found that the malware has the capability of monitoring and recording a victim"s email, SMS messages, location, voice calls, and media. Around 20 Lipizzan apps were reportedly distributed to less than a hundred devices. These were distributed through the Google Play Store, but have already been taken down.
The Play Store employs security checks in order to detect malicious apps. In the case with Lipizzan, the apps initially masqueraded as harmless, under the name "Backup" or "Cleaner," which contain legitimate code. Upon installation, the app would load a "license verification" stage which would survey the host device and do some necessary checks. If this goes through, this component would proceed to root the device with known exploits and upload data to a Command and Control (C&C) server.
Lipizzan is capable of performing the following operations:
- Call recording
- VOIP recording
- Recording from the device microphone
- Location monitoring
- Taking screenshots
- Taking photos with the device camera(s)
- Fetching device information and files
- Fetching user information (contacts, call logs, SMS, application-specific data)
It also had specific routines to retrieve data from apps such as Skype, Gmail, Hangouts, LinkedIn, Messenger, and Snapchat, among others.
Google further reports that after the first set of apps were blocked on Google Play, new variants emerged, which were now claiming to be sound recorder or alarm management apps. Fortunately, these were removed as well.
All things considered, it helps to be careful of the apps we install on our devices, even while inside the Google Play Store. It is also not recommended to install raw APK files, as these files could contain malware.
Source: Android Developers Blog via BleepingComputer