Google Uncovers Highly Targeted “Lipizzan” Spyware
A team of security researchers at Google discovered and blocked a new family of Android malware developed by a cyber arms company that may have its roots in state-sponsored spying efforts.
The malware could hijack a user’s email, SMS messages, location information, voice calls and local media. We can take screenshots and record audio and video.
Google says that they were able to spot the malicious apps through a combination of machine learning, app certificate comparison, and aggregate mobile data analysis.
When active, Lipizzan could steal data from a number of apps including Gmail, Google Hangouts, LinkedIn, Facebook Messenger, Skype, Snapchat, popular messaging platforms like WhatsApp and Viber and encrypted communications app Telegram.
Google blocked the first set of Lipizzan apps, but even then new versions were uploaded within a week of the takedown; this time created to look like apps including notepads, sound recorders and alarm managers. That organization also offers an Android equivalent dubbed Chrysaor.
Once downloaded by Android device users the innocuous apps would then download a second-stage component featuring malicious code, which escaped security checks by hiding under the guise of being a license verification process. In April, Google officials warned of a different family of Android surveillance apps developed by a different provider of intercept tools called NSO Group Technologies. The first stage was distributed through Google Play and other channels and usually masqueraded as a legitimate app. Manufacturers designed it mainly for the notepads, sound recorders, & alarm managers.
Samples of Chrysaor, which were disguised as legit-looking apps, were found by Lookout and forwarded to Google, which used its Verify Apps tool in Android to kill any instances of the spyware. Researchers said that the authors follow the method of making easy modifications and about implant apps branding.
Lipizzan was a two-stage piece of malware that was created to fool the code-checking mechanisms Google uses to prevent software nasties appearing in the Play Store. The second stage is about running the Advanced Encryption Standard Key.
Source | Express News Line