Lipizzan

Google's Android Security team announced today the discovery of a new powerful Android spyware — named Lipizzan — which Google claims to be linked to Equus Technologies, an Israeli company that describes itself on its LinkedIn page as beign specialized "in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations."

Google says its engineers discovered only a small number of cases where Lipizzan was deployed, and they intervened and removed the apps from victims' devices using a new Android security feature called Google Play Protect.

In total, Google engineers discovered 20 apps infected with Lipizzan, found only on fewer than 100 devices. Some of these apps were available through the official Google Play Store.

Lipizzan apps found on the official Google Play Store

The Lipizzan-infested apps managed to squeeze past Google's security checks because the spyware used a classic trick for bypassing Google's Bouncer security system, and that was by splitting malicious behavior into a second-stage component.

First-stage Lipizzan apps came with legitimate code, which Google Bouncer did not flag as malicious. Once Lipizzan was on a user's device it would download a secont-stage component under the disguise of a "license verification" step.

In reality, this second-stage component would scan the user's device for certain data, and if the phone passed certain checks, the second-stage component would root the user's device utilizing known exploit packages.

Lipizzan is a powerful spyware utility

Once Lipizzan gained root privileges, the malware had the ability to perform the following operations:

Call recording
VOIP recording
Recording from the device microphone
Location monitoring
Taking screenshots
Taking photos with the device camera(s)
Fetching device information and files
Fetching user information (contacts, call logs, SMS, application-specific data)
Retrieve data from each of the following apps:  Gmail, Hangouts, KakaoTalk, LinkedIn, Messenger, Skype,  Snapchat, StockEmail, Telegram, Threema, Viber, and Whatsapp.

Google says that it detected two waves of apps infected with Lipizzan uploaded to the Play Store, and the second wave included technical modifications to the second-stage component's modus operandi. This means Lippizan's operators were aware that Google had detected their malware, and were actively developing ways to bypass Google's security system.

It is unclear who was operating the malware, or what was the purpose of deploying it on the official Google Play Store.

In April, Google discovered the Chrysaor Android spyware, also developed by an Israeli cyber arms company. Named NSO Group, this is the same company that developed the Pegasus iOS spyware. According to Google's analysis Chrysaor was the Android version of Pegasus.

Details about both Lipizzan and Chrysaor have been presented today at the Black Hat USA 2017 security conference held in Las Vegas, in a session named Fighting Targeted Malware in the Mobile Ecosystem.