New Spyware Discovered in Android Apps Hosted On Google Play

A new multi-stage spyware family called Lippizan was discovered lately, after it had already been downloaded from Google Play by users.

Jul 29, 2017Security
Lipizzan Spyware on Google Play

The newly discovered Lippizan spyware is a sophisticated, two-stage tool, capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media.

According to current findings, about 20 Google Play apps were infecting users with Lippizan spyware in a targeted fashion, all of which were found to be referencing (through Lippizan’s code) a tech company called Equus Technologies based in New Delhi, India.

How Lippizan Circumvented Android

As said, Lippizan is a two-stage spyware software – a fact which probably proved crucial for it getting into Google Play in the first place.

Once installed on a user’s device, a Lippizan carrying app would download and execute an additional “license verification” mechanism that survey the infected device and validate certain abort criteria. If the device is found fit for the task, Lippizan would then commence its second stage of rooting the device with known exploits and begin to exfiltrate device data to an external server.

It was discovered that Lippizan had a routine to retrieve data from each of the following apps:

  • Whatsapp
  • Telegram
  • Snapchat
  • Skype
  • Messenger
  • Gmail
  • LinkedIn
  • Hangouts
  • Viber
  • KakaoTalk
  • StockEmail
  • Threema

Another interesting thing about Lippizan is that the apps that were carrying it all had seemingly innocuous names such as: “backup”, “cleaner”, “notepad” or “sound recorder”, perhaps in order to give users the impression these apps are very basic and simple, therefore probably harmless as well.

Big Brother Regains Control

To those among you who might be worried it’s time to let you know that the ever watchful eye of Google has managed to catch Lippizan, apparently before it managed to turn epidemic, and remove both the apps and their developers off of ‘Android ecosystem’.

According to Google, no more than 100 devices among those which are checked into ‘Google Play Protect‘ (GPP) have been infected by Lippizan.

GPP, says Google, was also the main means through which Google has managed to catch Lippizan at such an early stage of its infection. Android users who were infected by the spyware were notified by GPP, and had Lippizan removed from their devices as well.