Google experts blocked a new targeted malware family, the Lipizzan spyware

Google has identified a new strain of Android malware, the Lipizzan spyware, that could be used as a powerful surveillance tool.

Malware researchers at Google have spotted a new strain of Android spyware dubbed Lipizzan that could exfiltrate any kind of data from mobile devices and use them as surveillance tools.

The Lipizzan spyware is a project developed by Israeli startup Equus Technologies, the company description on LinkedIn reads:

“Equus Technologies is a privately held company specialising in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organisations.”

The experts have found the Lipizzan spyware sample in the wild while investigating other threats, the IT giant used also the recently presented Google Play Protect technology.

“In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan’s code contains references to a cyber arms company, Equus Technologies.” states the analysis published by Google.

“Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media.”

Google researchers have found at least 20 apps in Play Store which infected fewer than 100 Android smartphones in total, the company classified the infections as targeted attacks.

“We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.” states Google.

Google removed the infected apps from the stores, while Google Play Protect has notified all affected victims.

The Lipizzan spyware is a sophisticated multi-stage spyware that could be used by attackers to gain full access to a target Android device in two phases.

In the first stage, attackers distribute Lipizzan by concealing it as a legitimate app such “Cleaner” through the Android app stores, including the official Play store.

Once the victims have installed the malicious code, it would download and load a second “license verification” stage.

The code verifies that certain conditions are matched then it will root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Experts explained that the Lipizzan spyware is able to monitor and steal victim’s email, SMS messages, screenshots, photos, voice calls, contacts, application-specific data, location and device information.

The spyware is also able to collect data from specific apps, including WhatsApp, Snapchat, Viber, Telegram, Facebook Messenger, LinkedIn, Gmail, Skype, Hangouts, and KakaoTalk.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – (Lipizzan spyware, Google)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.