Google experts blocked a new targeted malware family, the Lipizzan spyware

Pierluigi Paganini July 27, 2017

Google has identified a new strain of Android malware, the Lipizzan spyware, that could be used as a powerful surveillance tool.

Malware researchers at Google have spotted a new strain of Android spyware dubbed Lipizzan that could exfiltrate any kind of data from mobile devices and use them as surveillance tools.

The Lipizzan spyware is a project developed by Israeli startup Equus Technologies, the company description on LinkedIn reads:

“Equus Technologies is a privately held company specialising in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organisations.”

The experts have found the Lipizzan spyware sample in the wild while investigating other threats, the IT giant used also the recently presented Google Play Protect technology. 

“In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan’s code contains references to a cyber arms company, Equus Technologies.” states the analysis published by Google.

“Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media.”

Google researchers have found at least 20 apps in Play Store which infected fewer than 100 Android smartphones in total, the company classified the infections as targeted attacks.

“We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.” states Google.

Lipizzan spyware

Google removed the infected apps from the stores, while Google Play Protect has notified all affected victims.

The Lipizzan spyware is a sophisticated multi-stage spyware that could be used by attackers to gain full access to a target Android device in two phases.

In the first stage, attackers distribute Lipizzan by concealing it as a legitimate app such “Cleaner” through the Android app stores, including the official Play store.

Once the victims have installed the malicious code, it would download and load a second “license verification” stage.

The code verifies that certain conditions are matched then it will root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Experts explained that the Lipizzan spyware is able to monitor and steal victim’s email, SMS messages, screenshots, photos, voice calls, contacts, application-specific data, location and device information.

The spyware is also able to collect data from specific apps, including WhatsApp, Snapchat, Viber, Telegram, Facebook Messenger, LinkedIn, Gmail, Skype, Hangouts, and KakaoTalk.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  (Lipizzan spyware, Google)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment